Mesh network commissioning

ABSTRACT

In embodiments of mesh network commissioning, a commissioning device establishes a secure commissioning communication session between the commissioning device and a border router of a mesh network to securely establish network communication sessions for joining one or more joining devices to the mesh network. The commissioning device can activate joining for the mesh network, and receive a request from a joining device to join the mesh network. The commissioning device can establish a secure joiner communication session between the commissioning device and the joining device, authenticate the joining device using an encrypted device identifier, and join the joining device to the mesh network.

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims priority to U.S. patent application Ser. No.14/749,616 filed Jun. 24, 2015, the disclosure of which is incorporatedby reference herein in its entirety. The application Ser. No. 14/749,616claims priority under 35 U.S.C. §119(e) to U.S. Provisional PatentApplication Ser. No. 62/016,450 filed Jun. 24, 2014, the disclosure ofwhich is incorporated by reference herein in its entirety. Theapplication Ser. No. 14/749,616 also claims priority to U.S. ProvisionalPatent Application Ser. No. 62/063,135 filed Oct. 13, 2014, thedisclosure of which is incorporated by reference herein in its entirety.The application Ser. No. 14/749,616 also claims priority to U.S.Provisional Patent Application Ser. No. 62/115,601 filed Feb. 12, 2015,the disclosure of which is incorporated by reference herein in itsentirety. The application Ser. No. 14/749,616 also claims priority toU.S. Provisional Patent Application Ser. No. 62/141,853 filed Apr. 2,2015, the disclosure of which is incorporated by reference herein in itsentirety.

BACKGROUND

Using wireless mesh networking to connect devices to each other, and tocloud-based services, is increasingly popular for sensing environmentalconditions, controlling equipment, and providing information and alertsto users. However many devices on mesh networks are designed to operatefor extended periods of time on battery-power, which limits theavailable computing, user interface, and radio resources in the devices.Additionally, to ensure the security of mesh networks, the identity ofdevices joining and operating on a mesh network is authenticated, andcommunication within the mesh network is encrypted, based on credentialsthat are commissioned into the devices. However, with the increasingubiquity and scale of mesh networks, commissioning techniques limit thequality of user experience for commissioning, the accuracy of joining adevice to the correct mesh network, securely injecting credentials intothe devices, and provisioning device-specific and application-specificinformation into a device during commissioning.

SUMMARY

This summary is provided to introduce simplified concepts of meshnetwork commissioning. The simplified concepts are further describedbelow in the Detailed Description. This summary is not intended toidentify essential features of the claimed subject matter, nor is itintended for use in determining the scope of the claimed subject matter.

Mesh network commissioning, generally related to joining nodes in a meshnetwork, is described. In embodiments, a joiner router can receive abeacon request from a joining device, and then transmit a beacon fromthe joiner router to the joining device, where the beacon provides anindication that a mesh network is available for joining. The transmittedbeacon is also enables the joining device to establish a local linkbetween the joining device and the joiner router. The joiner routerreceives a message from the joining device requesting to join the meshnetwork. The message received from the joining device can include adevice identifier that is usable to authenticate the joining device,which is authenticated using Password Authenticated Key Exchange byJuggling (J-PAKE) or any other suitable cipher suite, and theauthentication is effective to establish a secure communication sessionbetween a commissioning device and the joining device. The joiner routerforwards the received message to the commissioning device of the meshnetwork, which can include forwarding the received message through oneor more routers of the mesh network in a communication path between thejoiner router and the commissioning device. In implementations, one ofthe routers may be a border router that connects the mesh network to anexternal network, and the commissioning device is attached to theexternal network. The joiner router then receives an authorization forthe joining device to join the mesh network from the commissioningdevice, and the joiner router transmits network information to thejoining device, where the network information enables the joining deviceto join the mesh network.

Mesh network commissioning, generally related to joining nodes in a meshnetwork, is described. In embodiments, a joiner router can receive abeacon request from a joining device, and then transmit a beacon fromthe joiner router to the joining device, where the beacon provides anindication that a mesh network is available for joining. The transmittedbeacon also enables the joining device to establish a local link betweenthe joining device and the joiner router. The joiner router relays aDTLS-ClientHello message, from a joining device requesting to join amesh network, in a DTLS Relay Receive Notification message, which istransmitted to a commissioning device of the mesh network. The joinerrouter receives a DTLS Relay Transmit Notification message from thecommissioning device, and transmits content of the DTLS Relay TransmitNotification message to the joining device, where the content enablesthe joining device to join the mesh network and is effective toestablish a secure communication session between the commissioningdevice and the joining device. The joiner router receives an indicationfrom the commissioning device that the joining device is to be entrustedto receive network credentials for the mesh network, and receives a KeyEncryption Key (KEK) that is shared between the commissioning device andthe joining device. The joiner router then transmits the networkcredentials, and other essential network parameters, from the joinerrouter to the joining device using the KEK to encrypt and authenticate amessage at a Media Access Control (MAC) layer, to securely communicatethe network credentials. The secure communication session is usable toperform provisioning of the joining device.

Mesh network commissioning, generally related to establishing acommissioning session, is described. In embodiments, a border routerreceives a petition from a commissioning device to become thecommissioner for joining devices to the mesh network. The border routeradvertises availability of the mesh network for commissioning devices.In response to receiving the advertisement, the commissioner sends thepetition in response to the commissioning device receiving theadvertising. The border router can transmit the received petition to aleader device of the mesh network, and receive a response to thepetition from the leader device, where the response indicates acceptanceor rejection of the petition. The border router transmits an indicationof the acceptance or the rejection of the petition to the commissioningdevice. An acceptance of the petition by the leader device authorizesthe commissioning device to be the commissioner for the mesh network anda secure commissioning session is established. The acceptance of thepetition also enables the leader device to update an internal state thattracks an active commissioner for the mesh network, enable joiningacross the mesh network, communicate a set of devices that are allowedto join the mesh network, and propagate a commissioning dataset withinthe mesh network.

In other aspects of mesh network commissioning, the border router canalso register an identity of the commissioning device to establish asecure commissioning communication session, including providing ahardened (e.g., cryptographically hashed) commissioning credential tothe border router, wherein the hardened commissioning credential wasderived from a commissioning credential passphrase that was input to thecommissioning device by a user. The border router includes a copy of theencrypted commissioning credential usable to authenticate thecommissioning device to the mesh network, where the copy of theencrypted commissioning credential was previously derived from thecommissioning credential. The commissioning credential was injected intothe leader device of the mesh network that derived the copy of theencrypted commissioning credential, and the leader device communicatedthe copy of the encrypted commissioning credential securely to theborder router.

Mesh network commissioning, generally related to establishing acommissioning session, is described. In embodiments, a leader device ofa mesh network receives a petition to accept a commissioning device as acommissioner to commission joining devices to join the mesh network. Theleader device can determine whether to accept or reject the receivedpetition, and transmit a response to the commissioning device with anindication of whether the received petition is accepted or rejected. Thedetermination as to whether to accept or reject the received petitionfrom the commissioning device may include ensuring that there is asingle active commissioner for the mesh network. In response to adetermination of the received petition being accepted, the leader devicecan update an internal state that tracks an active commissioner for themesh network.

In other aspects of mesh network commissioning, the leader device canreceive a command from the commissioning device to initiate a joiningmode for the mesh network, and propagate a commissioning dataset withinthe mesh network. The hardened commissioning credential can be derivedfrom a commissioning credential that was injected into the leader deviceduring commissioning of the leader device. The leader device can send acopy of the encrypted commissioning credential to the border router,enabling the border router to authenticate the commissioning device tothe mesh network.

Mesh network commissioning, generally related to managing multiplecommissioning sessions, is described. In embodiments, a commissioningdevice establishes a secure commissioning communication session betweenthe commissioning device and a border router of a mesh network tosecurely establish network communication sessions for joining one ormore joining devices to the mesh network. The secure commissioningcommunication session is used by the commissioning device to send apetition to a leader device of the mesh network to request acceptance ofthe commissioning device as an active commissioner for the mesh network,and receiving an indication of an acceptance of the petition from theleader device. The commissioning device can activate joining for themesh network, and receive a request from a joining device to join themesh network. To activate joining for the mesh network, thecommissioning device can initiate a joining mode that causes the routersin the mesh network to advertise that the mesh network is acceptingjoining requests.

In other aspects of mesh network commissioning, the commissioning devicecan also send a management message to a leader device to make the meshnetwork joinable, where the management message enables the leader deviceto update network data for the mesh network. The management message caninclude steering data that indicates joining devices that are allowed tojoin to the mesh network. The network data is then propagated to therouter devices in the mesh network, where the network data includes anindication that the mesh network is available for joining. The joiningdevice establishes a secure joiner communication session with thecommissioning device. The commissioning device authenticates the joiningdevice using a Pre-Shared Key for the Device (PSKd) for the joiningdevice, and joins the joining device to the mesh network. The securejoiner communication session can be established by the commissioningdevice determining that the encrypted device identifier received fromthe joining device matches an encrypted device identifier derived by thecommissioning device from a copy of the device identifier that isreceived as an input to the commissioning device from a user, and usingthe encrypted device identifier as a shared secret to secure the joinercommunication session.

A request from a joining device to join the mesh network can be receivedvia a joiner router, and the commissioning device transmits, to thejoiner router, an indication that the joining device is to be entrustedto receive network credentials for the mesh network and a Key EncryptionKey (KEK), which is shared between the commissioning device and thejoining device. The transmission to the joining device via the joinerrouter is effective to enable the joiner router to use the received KEKto securely transmit the network credentials to the joining device tocommission the joining device to the mesh network. The request that isreceived from the joining device can include an encrypted deviceidentifier of the joining device, where the encrypted device identifieris derived from a device identifier of the joining device using PasswordAuthentication Key Exchange by Juggling (J-PAKE).

Mesh network commissioning, generally related to provisioning a joiningdevice, is described. In embodiments, a commissioning device canestablish a commissioning communication session between thecommissioning device and a border router of a mesh network, and alsoestablish a joiner communication session between the joining device andthe commissioning device. The commissioning device can then sendcommissioning information to the joining device, where the commissioninginformation is usable by the joining device to join the mesh network.The commissioning device receives an indication of a location of acommissioner application from the joining device, utilizes the receivedindication to retrieve the commissioner application, and executes thecommissioner application to provision the joining device.

Mesh network commissioning, generally related to hunting and steering,is described. In embodiments, a commissioning device of a mesh networkcan determine steering data for the mesh network, where the steeringdata is an indication of a device identifier associated with a devicethat is allowed to join the mesh network. The commissioning device canthen propagate the steering data from the commissioning device for themesh network to one or more routers in the mesh network, and thesteering data indicates that a commissioner is active on the meshnetwork. The commissioning device propagating the steering data enablesthe one or more routers to transmit the steering data in a beaconmessage, and the steering data is effective to enable the deviceassociated with the device identifier to identify that the device isallowed to join the mesh network. In implementations, the steering datais a 16-bit Cyclic Redundancy Check (CRC16) of the device identifier,which is an IEEE 64-bit Extended Unique Identifier (EUI-64). Thecommissioning device can determine the steering data for the meshnetwork by determining the steering data for additional deviceidentifiers associated with additional devices that are allowed to jointhe mesh network. The commissioning device propagating the steering datais effective to enable the device to distinguish the mesh network fromother networks, where the other networks are IEEE 802.15.4 networks.

Mesh network commissioning, generally related to hunting and steering,is described. In embodiments, a commissioning device of a mesh networkcan determine steering data for the mesh network, where the steeringdata includes an indication of a device identifier associated with adevice that is allowed to join the mesh network, and the indication isrepresented as a set of values in a Bloom filter that represent thedevice identifier. The commissioning device can then propagate thesteering data from the commissioning device for the mesh network to oneor more routers in the mesh network. Propagating the steering dataenables the routers to transmit the steering data in a beacon message,where the steering data enables the device associated with the deviceidentifier to compare the set of values in the Bloom filter to a secondset of values determined at the device to identify that the device isallowed to join the mesh network.

In other aspects of mesh network commissioning, the commissioning devicedetermines the steering data by applying a first hash function to thedevice identifier to produce a first hash value, and applying a secondhash function to the device identifier to produce a second hash value.The device identifier can be an IEEE 64-bit Extended Unique Identifier(EUI-64), where the device identifier is the least significanttwenty-four bits of the EUI-64. In implementations, the first and secondhash functions are Cyclic Redundancy Checks (CRC), with the first hashfunction being a CRC16-CCITT, and the second hash function being aCRC16-ANSI. The commissioning device then performs a modulo operation onthe first hash value to determine a first bit field location in theBloom filter, and performs the modulo operation on the second hash valueto determine a second bit field location in the Bloom filter. A divisorfor the modulo operation can be the length of a bit array of the Bloomfilter. The commissioning device can set a value in the first bit fieldlocation of the Bloom filter to one, and set the value in the second bitfield location of the Bloom filter to one. The commissioning device canset all of the bit field values in the steering data to a value of oneto indicate that the mesh network is joinable for any device.Alternatively, the commissioning device can set the bit field values ofthe steering data to a value of zero, which disables joining for themesh network.

Mesh network commissioning, generally related to partitioning nodes in amesh network, is described. In embodiments, a node device in a meshnetwork receives a commissioning dataset, and compares a timestamp inthe received commissioning dataset with a stored timestamp in acommissioning dataset that is stored in the node. The node device candetermine from the comparison that the stored timestamp is more recentthan the received timestamp, and in response, transmit a message to aleader device of the mesh network, where the message includes the storedcommissioning dataset. The leader device accepts the storedcommissioning dataset as the most recent commissioning dataset for themesh network, and propagates the stored commissioning dataset to themesh network. Alternatively, the node device can determine that thereceived timestamp is more recent than the stored timestamp, and inresponse to the determination, update the stored commissioning datasetto match the received commissioning dataset.

In other aspects of mesh network commissioning, the receivedcommissioning dataset includes the received timestamp, a commissioningcredential, a network name of the mesh network, and a security policythat indicates which security-related operations are allowed in the meshnetwork. The received timestamp includes a time value, and an indicationthat the time value is traceable to Coordinated Universal Time (UTC). Inimplementations, the node device and the leader device were previouslycommissioned to the mesh network, and the previous commissioning storedidentical commissioning datasets in the node device and the leaderdevice. The stored commissioning dataset in the node device can beupdated after a split of the mesh network that stops communicationbetween the node device and the leader device over the mesh network. Thesplit separates the mesh network and a first partition of the meshnetwork includes the leader device, and a second partition of the meshnetwork includes the node device. The node device can receive thecommissioning dataset after a merge of the first partition and thesecond partition of the mesh network, where the merge reestablishes acommunication path between the node device and the leader device overthe mesh network.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of mesh network commissioning are described with referenceto the following drawings. The same numbers are used throughout thedrawings to reference like features and components:

FIG. 1 illustrates an example mesh network system in which variousembodiments of mesh network commissioning can be implemented.

FIG. 2 illustrates an example environment in which various embodimentsof mesh network commissioning can be implemented.

FIGS. 3A-3D illustrate simplified versions of the example mesh networkenvironment, with devices implemented in accordance with embodiments ofmesh network commissioning.

FIG. 4 illustrates an example of data transactions between devices in amesh network environment in accordance with embodiments of mesh networkcommissioning.

FIG. 5 illustrates an example of a commissioning environment with anestablished commissioner session and an established joiner session inaccordance with embodiments of mesh network commissioning.

FIG. 6 illustrates an example of data transactions between devices in amesh network environment to establish a commissioner session inaccordance with embodiments of mesh network commissioning.

FIG. 7 illustrates an example of data transactions between devices in amesh network environment to establish a joiner session in accordancewith embodiments of mesh network commissioning.

FIG. 8 illustrates an example of steering data generated using a Bloomfilter to encode device identifiers for joining devices in accordancewith embodiments of mesh network commissioning.

FIG. 9 illustrates an example of partitioning a mesh network inaccordance with embodiments of mesh network commissioning.

FIG. 10 illustrates an example method of mesh network commissioning asgenerally related to joining nodes in a mesh network in accordance withembodiments of the techniques described herein.

FIG. 11 illustrates another example method of mesh network commissioningas generally related to joining nodes in a mesh network in accordancewith embodiments of the techniques described herein.

FIG. 12 illustrates an example method of mesh network commissioning asgenerally related to establishing a commissioning session in a meshnetwork in accordance with embodiments of the techniques describedherein.

FIG. 13 illustrates another example method of mesh network commissioningas generally related to establishing a commissioning session in a meshnetwork in accordance with embodiments of the techniques describedherein.

FIG. 14 illustrates an example method of mesh network commissioning asgenerally related to managing multiple commissioning sessions in a meshnetwork in accordance with embodiments of the techniques describedherein.

FIG. 15 illustrates an example method of mesh network commissioning asgenerally related to provisioning a joining device in a mesh network inaccordance with embodiments of the techniques described herein.

FIG. 16 illustrates an example method of mesh network commissioning asgenerally related to hunting and steering in a mesh network inaccordance with embodiments of the techniques described herein.

FIG. 17 illustrates another example method of mesh network commissioningas generally related to hunting and steering in a mesh network inaccordance with embodiments of the techniques described herein.

FIG. 18 illustrates an example method of mesh network commissioning asgenerally related to partitioning nodes in a mesh network in accordancewith embodiments of the techniques described herein.

FIG. 19 illustrates an example environment in which a mesh network canbe implemented in accordance with embodiments of the techniquesdescribed herein.

FIG. 20 illustrates an example mesh network device that can beimplemented in a mesh network environment in accordance with one or moreembodiments of the techniques described herein.

FIG. 21 illustrates an example system with an example device that canimplement embodiments of mesh network commissioning.

DETAILED DESCRIPTION

Wireless mesh networks are communication networks having wireless nodesconnected in a mesh topology that provides reliable and redundantcommunication paths for traffic within a mesh network. Wireless meshnetworks use multiple radio links, or hops, to forward traffic betweendevices within the mesh network. This provides coverage for areas largerthan the area covered by a single radio link.

Wireless mesh networks can be based on proprietary technologies, orstandards-based technologies. For example, wireless mesh networks may bebased on the IEEE 802.15.4 standard, which defines physical (PHY) layerand Media Access Control (MAC) layer features and services for use byapplications at higher layers of a mesh networking stack. Upper-layerapplications use these standards-defined services to implementapplication-level secure communication (e.g., encryption andauthentication) across a mesh network.

While standards-based technologies for mesh networks provide servicesfor secure communication, these technologies do not provide a completesolution for secure commissioning of mesh networks. Standards-basedsolutions may assume that devices are commissioned out-of-band of asecure mesh network, and are left to be designed by an applicationdeveloper. For example, out-of-band commissioning solutions includeinjecting network credentials over a wired connection before the joiningdevice attempts to make a radio-based connection to the mesh network.Alternatively, network credentials are transmitted over an unsecureradio link when the mesh network forms.

Securely commissioning a joining device over the mesh network eliminatesthe need for specialized commissioning tools, additional interfaces onthe joining device for credential injection, and the risk oftransmitting credentials over an unsecured communication link. Variousembodiments provide mesh network commissioning techniques to improve thecommissioning of devices joining a mesh network.

Authentication techniques, used in networks connected to the Internet,can rely on using certificates issued by a certificate authority. Acertificate can be validated to authenticate the identity of anotherdevice on the network. Unlike devices on the Internet, devices in a meshnetwork may not have access to Internet-connected, certificate-basedauthentication in order to authenticate devices for commissioning. Meshnetwork commissioning techniques are described that provide secureauthentication of the commissioning devices and the joining devices tothe mesh network without the need for an external certificate authority.

Standards for mesh networks provide services for securing communicationswithin mesh networks, such as defining a network key (network masterkey) and a MAC-layer encryption technique for communication betweendevices in the mesh network. However, the insertion of credentials, suchas the network key, into a device joining the mesh network is beyond thescope of standards-defined PHY and MAC services. Often, out-of-bandtechniques, for initially loading the credentials into the joiningdevice, are used before the joining device attempts to connect to themesh network. Mesh network commissioning techniques are described thatsecurely communicate network credentials to the joining device duringcommissioning over the mesh network.

Many devices designed for mesh networks have limited, or no, userinterface capability. Limited user interfaces on mesh network devicesmakes entering information, such as passphrases, device identifiers,and/or device addresses, for the joining devices cumbersome anderror-prone for users. Mesh network commissioning techniques aredescribed that increase user efficiency and data entry accuracy duringcommissioning of the joining devices to the mesh network.

As systems that use mesh networking become increasingly ubiquitous, manyjoining devices may need to be added during commissioning of the meshnetwork. The limited resources and user interfaces of many mesh networkdevices results in lengthy and costly commissioning, especially whenlarge numbers of joining devices need to be commissioned orrecommissioned. Mesh network commissioning techniques are described thatincrease the scalability of commissioning the joining devices to themesh network.

Wireless mesh networks may use licensed or unlicensed (also known aslicense-exempt or license-free) radio spectrum. Standards, such as IEEE802.15.4, define usage of the unlicensed radio spectrum, such as channelfrequencies, channel bandwidths, data rates, modulation, accesstechniques, and the like, which enable multiple mesh networks to operatewithin a band of the unlicensed spectrum. Mesh network commissioningtechniques are described that securely join the joining device to thecorrect mesh network in an environment where multiple mesh networksshare the same radio spectrum and/or underlying industry-standardnetworking protocols.

In addition to insertion of the network credentials into the joiningdevice during commissioning, additional provisioning may be required forthe joining device, in order to update or configure the joining devicefor use in the mesh network. This provisioning may require securecommunication of information, such as linking the joining device to auser account of a cloud service, and so forth. Mesh networkcommissioning techniques are described for securely provisioning thejoining device during commissioning.

While features and concepts of the described systems and methods formesh network commissioning can be implemented in any number of differentenvironments, systems, devices, and/or various configurations,embodiments of mesh network commissioning are described in the contextof the following example devices, systems, and configurations.

FIG. 1 illustrates an example mesh network system 100 in which variousembodiments of mesh network commissioning can be implemented. The meshnetwork 100 is a wireless mesh network that includes routers 102, arouter-eligible end device 104, and end devices 106. The routers 102,the router-eligible end device 104, and the end devices 106, eachinclude a mesh network interface for communication over the meshnetwork. The routers 102 receive and transmit packet data over the meshnetwork interface. The routers 102 also route traffic across the meshnetwork 100. The routers 102 and the router-eligible end devices 104 canassume various roles, and combinations of roles, for commissioningwithin the mesh network 100, as discussed below.

The router-eligible end devices 104 are located at leaf nodes of themesh network topology and are not actively routing traffic to othernodes in the mesh network 100. The router-eligible device 104 is capableof becoming a router 102 when the router-eligible device 104 isconnected to additional devices. The end devices 106 are devices thatcan communicate using the mesh network 100, but lack the capability,beyond simply forwarding to its parent router 102, to route traffic inthe mesh network 100. For example, a battery-powered sensor is one typeof end device 106.

The routers 102, the router-eligible end device 104, and the end devices106 include network credentials that are used to authenticate theidentity of these devices as being a member of the mesh network 100. Therouters 102, the router-eligible end device 104, and the end devices 106also use the network credentials to encrypt communications in the meshnetwork.

FIG. 2 illustrates an example environment 200 in which variousembodiments of mesh networking commissioning techniques can beimplemented. The environment 200 includes the mesh network 100, in whichsome routers 102 are performing specific roles in the mesh network 100.The devices within the mesh network 100, as illustrated by the dashedline, are communicating securely over the mesh network 100, using thenetwork credentials. Devices shown outside the mesh network 100 do nothave a copy of the network credentials for the mesh network 100 andcannot use mesh network layer security to securely communicate.

A border router 202 (also known as a gateway and/or an edge router) isone of the routers 102. The border router 202 includes a secondinterface for communication with an external network, outside the meshnetwork 100. The border router 202 connects to an access point 204 overthe external network. For example, the access point 204 may be anEthernet router, a Wi-Fi access point, or any other suitable device forbridging different types of networks. The access point 204 connects to acommunication network 206, such as the Internet. A cloud service 208,which is connected via the communication network 206, provides servicesrelated to and/or using the devices within the mesh network 100. By wayof example, and not limitation, the cloud service 208 providesapplications that include connecting end user devices, such as smartphones, tablets, and the like, to devices in the mesh network 100,processing and presenting data acquired in the mesh network 100 to endusers, linking devices in one or more mesh networks 100 to user accountsof the cloud service 208, provisioning and updating devices in the meshnetwork 100, and so forth.

A user choosing to commission a new device to join the mesh network 100can use a commissioning device 210, which connects to the border router202 via the external network technology of the access point 204, tocommission the new device. The commissioning device 210 may be anycomputing device, such as a smart phone, tablet, notebook computer, andso forth, with a suitable user interface and communication capabilitiesto operate in the role of a commissioner to join devices to the meshnetwork 100. To become the commissioner for the mesh network 100, thecommissioning device 210 petitions to become the commissioner, asdescribed in detail below.

A joining device 212 is any router-eligible end device 104 or end device106 that the user chooses to join to the mesh network 100. Beforecommissioning, the joining device 212 has not received the networkcredentials for the mesh network 100 and cannot be authenticated to, orsecurely communicate over, the mesh network 100. During commissioning,the joining device 212 performs the role of a joiner (or joiningdevice), as described in detail below.

One of the routers 102 performs the role of a joiner router 214 duringcommissioning of the joining device 212 to join the mesh network 100.The role of the joiner router 214 can be performed by any router 102that is within one radio link of the joining device 212. The joinerrouter 214 provides a local-only radio link to the joining device 212for a joiner session, as described in detail below.

One of the routers 102 performs the role of a leader 216 for the meshnetwork 100. The leader 216 manages router identifier assignment and theleader 216 is the central arbiter of network configuration informationfor the mesh network 100. The leader 216 also controls whichcommissioning device 210 is accepted as a sole, active commissioner forthe mesh network 100, at any given time.

The environment 200, as shown in FIG. 2, shows devices performing only asingle role of the various roles described above. FIGS. 3A-3D as shownand described below illustrate, by way of example, and not limitation,other distributions of commissioning roles for mesh networkcommissioning techniques.

FIG. 3A illustrates a simplified version 300 of the example environment200, with only those devices having commissioning-specific roles shownfor the sake of clarity. In this example, each device in FIG. 3A isperforming a single commissioning role in embodiments of mesh networkcommissioning. FIG. 3A also illustrates communication links used duringthe commissioning process. Secure mesh communication links 302 are usedbetween devices that have been joined to the mesh network 100. Alocal-only radio link 304, which is unsecured, is established to connectthe joining device 212 to the joiner router 214 for commissioning thejoining device 212 to the mesh network 100. An external network 306 hascommunication links as shown, such as a point-to-point link 308 betweenthe border router 202 and the commissioning device 210 over the externalnetwork.

FIG. 3B also illustrates a simplified version 320 of the exampleenvironment 200, and shows a border/joiner router 322, which is theborder router 202 additionally performing the role of the joiner router214. FIG. 3C also illustrates a simplified version 340 of the exampleenvironment 200, and shows a commissioner/border router 342, which isthe border router 202 additionally performing the role of thecommissioning device 210. In this example, the commissioner/borderrouter 342 includes the mesh network interface. The commissioner/borderrouter 342 may also be referred to as an on-mesh commissioner, beingthat the commissioner/border router 342 is connected to the mesh network100.

FIG. 3D also illustrates a simplified version 360 of the exampleenvironment 200, and shows a commissioner/border router/joiner router362, which is the border router 202 additionally performing the role ofthe joiner router 214 and the commissioning device 210. FIGS. 3A-3Dillustrate a sample of the possible combinations of mesh networkcommissioning roles, where any router-eligible end device 104 device canperform multiple roles (except for the role of the joining device 212).

FIG. 4 illustrates the commissioning process 400 by showing thetransactions between the devices in the mesh network 100 that areperforming the various mesh network commissioning roles. Thecommissioning process 400 begins when the commissioning device 210, forexample a mobile phone, discovers the mesh network 100 is available forcommissioners from an advertisement 402 from the border router 202. Thecommissioning device 210 then establishes a secure socket connectionwith the border router 202 using a Pre-Shared Key for the Commissioner(PSKc). This secure connection establishes a commissioning session 404.There can be only one active commissioner at a time, so thecommissioning device 210 petitions the leader 216 to become the activecommissioning device 210 for the mesh network 100, by sending a petition406 to the border router 202, which in turn is forwarded as petition 408by the border router 202 to the leader 216.

If the leader 216 accepts the commissioning device 210 as the activecommissioner, the leader sends a petition response 410 to the borderrouter 202, which in turn forwards the petition response 412 to thecommissioning device. The leader 216 also indicates to devices on themesh network 100 that the there is an active commissioner by propagatingupdated network data 414 over the mesh network 100.

Once active as the commissioner, the commissioning device 210 enablesjoining for the mesh network 100. Optionally, the commissioning device210 provides steering data that indicates device identifiers of thejoining devices 212 expected to join the mesh network 100. Thecommissioning device 210 may also query and set network parameters, suchas a network name and a security configuration.

The joining device 212 sends a request 416 to establish a joiner sessionto the joiner router 214, which then relays the request 418 from thejoining device 212 to the border router 202. It should be noted that therelay request 418 may be forwarded by any number of routers 102 in themesh network, between the joiner router 214 and the border router 202.The border router 202 forwards the request 420 to establish the joinersession to the commissioning device 210. The commissioning device 210sends a response 422 to the request for the joiner session to the borderrouter 202, which in turn relays the response 424 to the joiner router214. The joiner router 214 finishes the establishment of the joinersession at 426. The establishment of the joiner session in FIG. 4 isshown in a simplified manner for the sake of clarity; additional relayedDTLS messages may be exchanged as a part of the DTLS handshake toestablish the joiner session.

As shown at 416 through 426, the joining device 212 and thecommissioning device 210 perform a handshake, using Datagram TransportLayer Security (DTLS) or Transport Layer Security (TLS) using aPre-Shared Key for the Device (PSKd) for the joining device 212. Thehandshake is performed over the relay thorough the mesh network 100, asdescribed in detail below. The commissioning device 210 derives the PSKdfrom a joining device credential received out-of-band of the meshnetwork 100, typically entered through a user interface of thecommissioning device 210, such as by scanning a QR code or bar code.Once the handshake is complete, a shared secret, produced from the PSKd,is used to establish the joiner session and pass the network credentialsfor the mesh network 100 from the joiner router 214 to the joiningdevice 212. Optionally, in addition to passing the network credentialfor the mesh network 100, the commissioner session and the joinersession may be used to provision the joiner, as shown at 428.

FIG. 5 illustrates a commissioning environment 500 with the establishedcommissioner session and the established joiner session. Thecommissioner session 502 is a secure communication tunnel from thecommissioning device 210 to the border router 202. The joiner session504 is a secure communication tunnel from the commissioning device 210to the joining device 212. Other mesh communication links and externalnetwork communication links are omitted for the sake of clarity.

First Device Pairing

In order to join devices to the mesh network 100, a first device iscommissioned to establish a commissioning credential for commissioningdevices to join the mesh network 100, and network credentials for secureoperation of the mesh network 100. The commissioning device 210 connectsto the first device, which can be any router-eligible end device 104.The first device is commissioned out-of-band of the mesh network 100.Any suitable connection may be used, such as USB, ad hoc Wi-Fi,Bluetooth, point-to-point IEEE 802.15.4, and the like, to connect thefirst device to the commissioning device 210.

Once the commissioning device 210 connects to the first device, thecommissioning device programs the PSKc and the network name for the meshnetwork 100 into the first device. The PSKc is used to authenticatecommissioning devices 210 to the mesh network 100 and establish thecommissioning session, as described above and below. The network name isin human-readable form, similar to a Service Set Identifier (SSID) inWi-Fi networks. Once the first device is commissioned, the first devicebecomes the leader 216 of the mesh network 100. The first device formsthe mesh network 100, including determining a unique Personal AreaNetwork Identifier (PAN ID) and a unique Extended PAN ID (XPANID) forthe mesh network 100 and the network key for the mesh network 100.

The PSKc is derived from the commissioning credential, which is ahuman-scale passphrase, entered into the commissioning device 210, bythe user administering the mesh network 100. The commissioningcredential is hardened (e.g., by cryptographically hashing multipletimes) to derive the PSKc, which is stored by the leader 216 and thecommissioning device 210. Any suitable cryptographic hash technique maybe used to derive the PSKc.

To improve the security of the PSKc, cryptographic techniques may beapplied to increase the entropy of the commissioning credential in thederived PSKc, relative to the equivalent human-scaled commissioningcredential passphrase entered by the user. By using key stretching, thederived key can be safely stored on embedded nodes which may bephysically compromised, and the user's passphrase won't be compromised.This is helpful because users often reuse passphrases for multiplewebsites and accounts. For example, any suitable cryptographictechnique, such as applying a cryptographic hash multiple times, is beused to stretch the key. For example, Password-Based Key DerivationFunction 2 (PBKDF2) can be used to apply Advanced EncryptionStandard-Cipher-based Message Authentication Code-Pseudo-RandomFunction-128 (AES-CMAC-PRF-128). For example, the PSKc may be derived asshown in equation 1:PSKc=PBKDF2(PRF,P,S,c,dkLen)  (1)where, PRF is a type Pseudo-Random Function to use by the PBKDF2, P isthe commissioning credential, S is a salt for the cryptographic function(e.g., a string such as a network type concatenated with the networkname), c is a number of iterations of the PRF, and dkLen is the desiredlength of the derived key (PSKc).

Establishing the Commissioning Session

FIG. 6 illustrates the process 600 of establishing the commissionersession by showing the transactions between the commissioning device210, the border router 202, and the leader 216. The mesh network 100 mayhave a limited number of active commissioning devices 210, but there maybe multiple potential commissioning devices 210 that can perform therole of the commissioner. The leader 216 is responsible for assuringthat there is only a finite set of active commissioners for the meshnetwork 100. By way of example, and not limitation, the finite set ofactive commissioners may be limited to a single active commissioner. Tobecome the active commissioner, the commissioning device 210 petitionsthe leader 216 to become the commissioner for the mesh network.

At 602, the border router 202 advertises, on the external networkinterface, that the mesh network 100 is available for commissioningdevices 210. The border router 202 may make the advertisement inresponse to a multicast request (i.e., a scan or a query) within aservice discovery protocol. For example, the advertisement 602 may bedone using any suitable service discovery, such as Multicast Domain NameService (mDNS). Specifically, for wireless networks, the border routers202 advertise a commissioning service using DNS Service Discovery(DNS-SD) via a Uniform Resource Locator (URL). A lookup server wouldthen respond with all the different wireless networks that areaccessible, the network name of the mesh network 100, and acommissioning port.

The commissioning device 210 responds 604 to the advertisement from theborder router 202 by requesting a secure connection for thecommissioning session between the commissioning device 210 and theborder router 202. For example, the commissioning session can beestablished in any suitable manner, such as using the PSKc to establishthe commissioning session using DTLS or TLS. By way of example, and notlimitation, the commissioning device 210 and the border router 202exchange DTLS messages 606-616 to identify and authenticate thecommissioning device to the mesh network 100, and to establish thesecure connection for the commissioner session.

The commissioning session may use any suitable network port, such as aUser Datagram Protocol (UDP) or a Transmission Control Protocol (TCP)port as both the source and destination port for the commissioningsession. For example, the commissioning session uses the commissioningport discovered during network discovery. Each border router 202 canassign the commissioning port or use a default commissioning port.

In order to become the active commissioner for the mesh network 100, thecommissioning device 210 petitions 618 the leader 216 to request tobecome the commissioner. Using the commissioning session, thecommissioning device 210 sends the border router 202, a petition 620 tobecome the active commissioner for the mesh network 100. The borderrouter 202 forwards the petition 622 to the leader 216. For example,after the commissioning device 210 is authenticated and identified, theborder router 202 unicasts to the leader 216, a Commissioner PetitionRequest message 620 (e.g., COMM_PET.req). The Commissioner PetitionRequest is forwarded, by the border router 202 to the leader 216, asrequest 622 (e.g., as the LEAD_PET.req) requesting that thecommissioning device 210 be accepted as the active commissioning device210 for the mesh network 100. For example, the commissioner petitionrequest message, including a commissioner identification string, is sentsecurely over the mesh network 100.

The leader 216 determines if there is an active commissioner for themesh network 100. If there is an active commissioner, the leader rejectsthe petition from the commissioning device 210. If there is no activecommissioner for the mesh network 100, the leader 216 accepts thepetition from the commissioning device 210. The leader 216 updates itscopy if the commissioning dataset to reflect that there is an activecommissioner and the identity of the commissioning device 210. Theleader 216 sets a permit-join flag for the mesh network 100 to true. Theleader 216 then propagates 624 the network data and the updatedcommissioning dataset to the mesh network 100, which indicates that themesh network 100 is joinable.

For example, the leader 216 will respond to the Commissioner PetitionRequest message by either accepting or rejecting the commissioningdevice 210 as the active commissioner for the mesh network 100. Uponacceptance, the leader 216 will update its copy of the network data withthe new commissioner information, set a permit-join flag to true, andpropagate the updated network data and commissioning dataset over themesh network 100 using any suitable protocol, such as Multicast Protocolfor Low Power and Lossy Networks (MPL), or multicasting an MLE-UPDATEmessage.

Potential joiner routers 214 (i.e., routers 102 and router-eligible enddevices 104) store the updated network information and commissioningdataset propagated by the leader 216. The updated network informationand commissioning dataset allows for direct communication with thecommissioning device 210 for use when commissioning any joining device212. The commissioning dataset includes a border router locator (RLOC)that allows any device to send a message to the current, active borderrouter 202, which is acting as a proxy for the active commissioner.

After determining whether to accept or reject the petition from thecommissioning device 210, the leader 216 responds 626 with an indicationof its decision to the border router 202. The border router 202 sends aresponse 628 to the commissioning device 210 that includes theindication of the decision to accept or reject the petition by theleader 216. For example, the leader 216 sends a Leader Petition Responsemessage (e.g., LEAD_PET.rsp) to the border router 202 indicating thedecision of the leader 216 to accept or reject the commissioning device210 as the active commissioner for the mesh network 100. In response toreceiving the Leader Petition Response message from the leader 216, theborder router 202 will send a Commissioner Petition Response message(e.g., COMM_PET.rsp) to the commissioning device 210 indicating thedecision of the leader 216 to accept or reject the commissioning device210 as the active commissioner for the mesh network 100.

Alternatively as shown at 630, the leader 216, after accepting thepetition for the commissioning device 210 to become the activecommissioner, sets the permit-join flag to true, but waits to receive aSet Management Data Request message 632 (e.g., MGMT_SET.req) thatincludes an indication from the commissioning device 210 to allow theleader 216 to propagate the updated network data to the mesh network100. The leader 216 replies to the commissioning device with a SetManagement Data Response message 634 (e.g., MGMT_SET.rsp) to acknowledgethe request to propagate the updated network data. The leader 216propagates 636 the network data and the updated commissioning dataset tothe mesh network 100, which indicates that the mesh network 100 isjoinable.

Before the commissioning device 210 sends the Set Management DataRequest message to allow the leader 216 to propagate the updated networkinformation, the commissioning device 210 may administer the meshnetwork 100, such as configuring devices, changing network settings, andso forth, without making the mesh network 100 joinable. Thecommissioning dataset includes a commissioner session identifier, acommissioning dataset timestamp, and the PSKc. When the commissioningdevice 210 is the active commissioner on the mesh network 100, thecommissioning dataset also includes a location of the border router 202.When the mesh network 100 is joinable, the commissioning dataset alsoincludes steering data that indicates which joining devices 212 areallowed to join the mesh network 100. When the mesh network 100 isjoinable, the routers 102 in the mesh network 100 include thepermit-join flag and the steering data in beacons transmitted by therouters 102.

The commissioning device 210 may include the mesh network interface,enabling the commissioning device 210 to operate as a nativecommissioner on the mesh network 100. When a native commissioner bit isset in a beacon, and the commissioning device 210 includes the meshnetwork interface, the commissioning device 210 may petition the leader216 to become the active commissioner for the mesh network 100.

Once accepted as the active commissioner, the commissioning device 210may manage the network using Set Management Data Request messages andGet Management Data Response messages to get and set network parametersof the mesh network 100. The network parameters include the PSKc, thenetwork name, the network key, a network key sequence number, a networkPAN ID, a network extended PAN ID, a network Unique Local Address (ULA),and/or a radio channel for the mesh network 100. Additional managementcapabilities are contemplated, such as facilities for ejectingpreviously joined devices from the mesh network 100. Set Management DataRequest messages and Get Management Data Response messages are relayedto the leader 216 via the border router 202 over the commissioningsession. As the messages to get and set the network parameters commandsaffect global network-wide state, the messages are forwarded to, andstored by, the leader 216. Any device can directly address a request toobtain the network information to the leader 216 and avoid multi-hopaddressing.

Establishing the Joiner Session

In order to securely commission a new device to the mesh network 100,the joiner session is established between the commissioning device 210and the joining device 212. The joiner session, is a communicationtunnel through the mesh network 100 between the commissioning device 210and the joining device 212. The joining device credential is ahuman-scaled passphrase that is used to authenticate that the joiningdevice 212 is eligible to join the mesh network 100. The joining devicecredential is communicated between the joining device 212 and thecommissioning device 210 by any suitable out-of-band mechanism. Forexample, the joining device credential may be communicated by scanning aQR code or a barcode, located on the joining device 212, with a cameraincluded in the commissioning device 210, by entering a serial number ofthe joining device 212, into the user interface of the commissioningdevice 210, and so forth.

FIG. 7 illustrates the process 700 of establishing the joiner session byshowing the transactions between the commissioning device 210, theborder router 202, the joiner router 214, and the joining device 212. Insome embodiments, establishing the joiner session begins with thejoining device 212 scanning radio channels, such as channels defined inthe IEEE 802.15.4 specification, to find potential mesh networks 100 tojoin. The joining device 212 issues a beacon request 702 to each meshnetwork 100 found during the channel scan, to which all mesh networks100 will respond.

For example, the joining device 212 performs an active scan bytransmitting an 802.15.4 MAC-BEACON.request on every channel. Inresponse to receiving the beacon request, the joiner router 214transmits a beacon response 704 that includes the steering data toassist the joining device 212 to discover the correct mesh network 100to join. The joiner router 214 transmits an 802.15.4 MAC-BEACON.responsethat includes the steering data in the payload of the 802.15.4MAC-BEACON.response. Details of generating, transmitting, and using thesteering data are described in further detail below. Once the joiningdevice 212 has found the mesh network 100 to join, the joining device212 establishes the local-only radio link, which is an unsecured,point-to-point communication link, to the joiner router 214.

For example the joining device 212 establishes the local-only radio link706 to the joiner router 214 by configuring MAC-layer network parameters(e.g., channel, PAN ID, etc.) gleaned from the beacon received from thechannel scan. The joining device 212 sends packets to a joiner port(e.g. a UDP port) on an unsecured interface, (e.g., port number 5684“:coaps”) of the joiner router 214, to establish the local-only radiolink. The joiner port is also communicated in the beacon. If the joinerport is missing, a default port is used by the joining device 212.

The joining device 212 sends a request to the joiner router 214 to jointhe mesh network 100. Upon receipt of the request to join the meshnetwork 100, the joiner router 214 sends the request for authority tojoin to the commissioning device 210. The joiner router 214 forwards alltraffic sent by the joining device 212 on the unsecured joiner port. Thejoiner router 214 does not process or understand the contents of theDTLS Handshake, which is understood by the commissioning device 210. Insome embodiments, the joiner router 214 may store a location of thecommissioning device 210, or the border router 202 that is a proxy forthe commissioning device 210, in its memory, retrieve the location ofthe commissioning device 210 from another device (e.g., the leader 216,or the border router 202), or some other location (e.g., remoteservice). The PSKd is used to authenticate the joining device 212 to themesh network 100 and to secure the joiner session between thecommissioning device 210 and the joining device 212. The PSKd is derivedfrom the joining device credential.

In some embodiments, the joiner session may be established using DTLS,as well as an authentication protocol, such as Password AuthenticatedKey Exchange by Juggling (J-PAKE), Secure Remote Password (SRP)protocol, and/or any other suitable password authenticated key exchangeprotocol. For example, an elliptic curve variant of J-PAKE (EC-JPAKE),using the NIST P-256 elliptic curve may be used for authentication andkey agreement. Using J-PAKE with the PSKd proves that the user, who iscommissioning the joining device 212, has physical possession of thejoining device 212, as well as proving that the commissioning device 210is connected to the correct joining device 212 over the joiner session.

The joiner router 214 forwards the request to join the mesh network 100,which is received from the joining device 212 over the joiner session,to the commissioning device 210. Upon authorization to join the meshnetwork 100, from the commissioning device 210, the network key istransferred securely to the joining device 214 using the joiner session.

For example, the joining device 212 may send a joiner identificationmessage to the joiner router 214 to provide a human-readable name forthe joining device 212. The joiner router 214 encapsulates informationin the joiner identification message in a relay message and forwards therelay message to the border router 202, using a commissioner prefix, ananycast address, or the border router locator. Upon receipt of the relaymessage, the border router 202 appends a sender address (in this case,the address of the joiner router 214) to a list of next relay addressesat the end of the relay message, and forwards the relay message over thejoiner session.

For example, the joining device 212 sends handshake messages 708 usingDTLS and UDP to the joiner router 214. The joiner router 214 relays theDTLS handshake messages 710 to the border router 202 for delivery to thecommissioning device 210. The joiner router 214 has no knowledge of thecontent of the relayed DTLS handshake messages. The joiner router 214filters the received DTLS handshake messages, received from the joiningdevice 212 over the unsecured local-only radio link, based on an agreedupon the joiner UDP port, described above. The joiner router 214 relaysall messages received on the specified joiner UDP port. The joinerrouter 214 may rate limit forwarding of unsecured messages to preventDenial of Service (DOS) attacks on the mesh network 100.

By way of further example, the joining device 212 initially identifiesitself to the commissioning device 210 by sending a DTLS-ClientHellomessage to the joiner router 214. This initial DTLS-ClientHello isintended to allow the commissioning device 210 to assign the joiningdevice 212 a DTLS cookie for use during the remainder of thecommissioning exchange. The joiner router 214 encapsulates theDTLS-ClientHello UDP payload in a DTLS Relay Receive Notificationmessage (e.g., RLY_RX.ntf), adding a source address of the encapsulatedpacket as a relay hop, in this case a link local 64-bit address of thejoining device 212. The DTLS cookie is sent to the joining device 212,which the joining device 212 then returns to the commissioning device210 to ensure that the joining device 212 is genuine.

The joiner router 214 also adds its address as a relay point to the DTLSRelay Receive Notification message. The joiner router 214 sends the DTLSRelay Receive Notification message to the border router 202. The borderrouter 202, upon receipt of the DTLS Relay Receive Notification message,forwards the DTLS Relay Receive Notification message 712 over thecommissioning session to the commissioning device 210.

Based on the joiner identification message received from the joiningdevice 212, the commissioning device 210 uses the joiner identificationmessage to initiate a DTLS-HelloVerify message based on the PSKd. TheDTLS-HelloVerify message and a DTLS Relay Transmit Notification message(e.g., RLY_TX.ntf) are sent to the border router 202, at 714. The borderrouter 202 relays the DTLS-HelloVerify message and the DTLS RelayTransmit Notification message to the joiner router 214, at 716. Thejoiner router 214 sends the DTLS-HelloVerify message to the joiningdevice 212, at 718.

Alternatively, the commissioning device 210 may have information formultiple joining devices 212 that are to be commissioned. Thecommissioning device 210, upon reception of the DTLS-ClientHello messagefrom a particular one of the multiple joining devices 212, examines theIEEE 64-bit Extended Unique Identifier (EUI-64) address of the joiningdevice 212 that sent the DTLS-ClientHello message. The commissioningdevice 210 looks for the PSKd, in the information for multiple joiningdevices 212 that are to be commissioned, to continue the DTLS handshakefor the particular joining device 212. The commissioning device 210relays a combined DTLS-ServerHello, DTLS-ServerKeyEx, andDTLS-ServerHelloDone back to the joining device 212, via the joinerrouter 214. Upon completion of this DTLS handshake, the establishment ofthe joiner session is complete.

Once the commissioning device 210 has authenticated the joining device212, the commissioning device 210 entrusts the joining device 212 withthe network credentials for the mesh network 100. For example, thecommissioning device 210 requests the network credentials from theborder router 202, and sends the network credentials to the joiningdevice 212 in a joiner entrust message over the joiner session,transported by the DTLS Relay Transmit Notification message over thecommissioning session. Alternatively, the commissioning device 210entrusts the joining device 212 with the network credentials for themesh network 100 using a Key Exchange Key (KEK) as a shared secretbetween the commissioning device 210 and the joining device 212. The KEKis sent to the joiner router 214 for the joining device 212 and is usedto encrypt the network credentials for transmission over the local-onlyradio link.

Joining Device Provisioning

When the joining device 212 is joined to the mesh network 100, thejoining device 212 may also require provisioning. Provisioning mayinclude updating the firmware in the joining device 212, configuring thejoining device 212, providing a local configuration related to otherdevices on the mesh network 100, linking the joining device 212 to anaccount of the user on the cloud service 208, linking the joining device212 to a cloud-based application server, and so forth. While stillestablished, the commissioner session and the joiner session are used toprovide a secure connection for provisioning the joining device 212,before the joining device 212 uses the network credentials to join themesh network 100.

The joining device 212 sends an indication of a location for acommissioner application to be executed by the commissioning device 210to perform the provisioning of the joining device 212. The indication ofthe location may be used to find the commissioner application in thememory of the commissioning device 210, or may be used by thecommissioning device 210 to retrieve the commissioner application fromthe cloud service 208. The indication may be in any suitable form, forexample a Uniform Resource Locator (URL). When the provisioning of thejoining device 212 is finalized, the joining device 212 terminates thejoiner session and the local-only radio link. The joining device 212uses the network credentials to join the mesh network 100.

Steering Data

Wireless mesh networks may share radio spectrum. Standards, such as IEEE802.15.4, define multiple channels, which enables multiple networks tooperate within a band of radio spectrum. Additionally, when there aremany devices to commission to the mesh network 100, it is desirable toefficiently communicate multiple device identifiers for the many joiningdevices 212, using the steering data in the beacon, to assist thejoining devices 212 in hunting for the correct mesh network 100 to join.Mesh network commissioning techniques are described that securely joinmultiple joining devices 212 to the correct mesh network 100, in anenvironment where multiple mesh networks share the same radio spectrumand/or underlying industry-standard networking protocols.

When the commissioning device 210 obtains the PSKd and the EUI-64 MACaddress for a desired joining device 212, the commissioning device 210constructs the steering data that will signal to the desired joiningdevice 212 which mesh network 100 to join. The steering data willinclude some way to distinguish the mesh network 100 from other802.15.4-based networks, a way to communicate whether or not there is anactive commissioner on the mesh network 100, and a way to specify whichjoining devices 212 are currently allowed to join the mesh network 100.

The steering data is determined by the commissioning device 210 andindicates the device identifiers of one or more joining devices 212 thatare allowed to join the mesh network 100. The commissioning device 210propagates the steering data to the routers 102 in the mesh network 100.The routers 102, in turn, include the steering data in the beacon forthe mesh network 100, transmit the beacon to provide the steering datato potential joining devices 212, with an indication that the meshnetwork 100 is joinable, and if the potential joining devices 212 areallowed to join the mesh network 100. For example, the commissioningdevice 210 obtains the PSKd and the EUI-64 MAC address for the desiredjoining device 212, as discussed above. From this EUI-64, thecommissioning device 210 constructs the steering data to signal to thedesired joining device 212 that the desired joining device 212 isallowed to join the mesh network 100.

In a further example, the steering data may include a list of 16-bitCyclic Redundancy Check (CRC16) encoded EUI-64 addresses of the joiningdevices 212 that are allowed to join the mesh network 100. The CRC16provides a compact representation of the EUI-64 addresses, with a lowchance of collisions between two different EUI-64 addresses in theCRC16-encoded addresses. The use of the CRC16 enables the proper joiningdevice 212 to efficiently find the correct mesh network 100 to join,while efficiently using resources of the mesh network 100, by reducingthe size of the required beacon payload for the device identifiers ofthe joining devices 212.

In the case where multiple mesh networks 100 have active commissioners,the joining device 212 hunts for the correct mesh network 100 bycollecting the beacons from the active scan. The joining device 212discards collected beacons from non-mesh networks, beacons with a wrongprotocol, beacons with a wrong version, beacons with a wrong XPANID,beacons with a wrong network name, and/or beacons with beacons withjoining disabled. The joining device 212 prioritizes collected beaconswith an exact match to the device identifier of the joining device 212in the steering data of the collected beacons, and sub-prioritizes thematching, collected beacons in order of a best signal strength. Thejoining device 212 attempts to join the prioritized networks, one at atime (as described above), until the joining device 212 successfullyjoins the mesh network 100. If the joining device exhausts theprioritized list of networks without successfully joining the meshnetwork 100, the joining device 212 may perform the active scan to beginhunting for the mesh network 100 again, either immediately or after adelay period.

The steering data guides which joining devices 212 may, or may not,attempt to join the mesh network 100. Additionally, all bits in thesteering data may be set to a value of zero to indicate that the meshnetwork 100 is not available for joining. Alternatively, all bits in thesteering data may be set to a value of one to indicate that that themesh network 100 is available for joining by any joining device 212.

Some commissioning devices 210 may lack resources to extract the EUI-64and the joining device credential easily by scanning a QR code. In thiscase, the least significant 24 bits of the EUI-64 are used as the deviceidentifier for the joining device 212, when determining the steeringdata. An S-bit in the beacon signifies whether a short or a long deviceidentifier for the joining device 212 is used to determine the steeringdata. The S-bit is set to a value of zero when the EUI-64 is used as thedevice identifier for determining the steering data. The S-bit is set toa value of one when the least significant 24-bits of the EUI-64 are usedas the device identifier for determining the steering data.

FIG. 8 illustrates an example 800 of steering data generated using aBloom filter, which is used to encode the device identifiers for thejoining devices 212 into the steering data. The Bloom filter provides anefficient encoding of the devices identifiers with a low probability ofcollisions between the encoded values of different device identifiers.Each device identifier 802, to include in the steering data, is encodedby a first hash function 804 to produce a first hash value and isencoded by a second hash function 806 to produce a second hash value.For example, the first hash function 804 is a CRC16-CCITT and the secondhash function 806 is a CRC16-ANSI. The device identifier 802 is theEUI-64 of the joining device 212. Alternatively, the twenty-four leastsignificant bits of the EUI-64 are used as the device identifier 802.

A modulo operation 808 is performed on the first hash value and on thesecond hash value. A divisor, for the modulo operation, is a length of abit array 810 of the Bloom filter (bit positions in the bit array 810are shown at 812, and bit values are shown at 814.) Each bit in the bitarray is initialized to a value of zero before determining the steeringdata. The result of each modulo operation determines a location in thebit array. The value in the two determined locations in the bit arrayare set to a value of one, and the two determined bit fields provide amapping to the device identifier.

For example, for a hypothetical device identifier 802, performing themodulo operation 808 on the result of the first hash function 804results in a value of three for the device identifier 802. Performingthe modulo operation 808 on the result of the second hash function 806results in a value of six for the device identifier 802. The values atthe bit positions three (3) and six (6) are set to a value of one toindicate the Bloom-filtered value of the hypothetical device identifier802.

The joining device 212 also calculates the Bloom filter bit locationsthat represent the device identifier of the joining device 212. Thejoining device 212 determines if the calculated bit positions bothcontain a value of one in the steering data in the collected beacons. Apositive determination indicates, to the joining device 212, that thejoining device 212 is allowed to join the mesh network 100. The valuesof the bits in the bit array of the Bloom filter may all be set to avalue of one to indicate that any joining device 212 is allowed to jointhe mesh network 100. Setting all the bits in the Bloom filter bit arrayto a value of zero indicates that there is no active commissioner forthe mesh network 100 and that the mesh network 100 is not available forjoining. The Bloom filter provides a compact representation withanonymity for the device identifiers, while allowing the proper joiningdevices 212 to efficiently find the correct mesh network 100 to join,with a low probability of false positives indicating that a particularjoining device 212 is allowed to join the mesh network 100 when theparticular joining device is not allowed to join.

Parameters for the Bloom filter are: k, a number of hash functions usedto hash the device identifier; m, a number of bits in the bit array ofthe Bloom filter; and n, a number of the joining devices 212 torepresent in the steering data. As an example, and not a limitation, theparameter k is set to two, indicating that two hash functions are used,such as a CRC16-CCITT with polynomial 0x1021 and a CRC16-ANSI withpolynomial 0x8005. Other values of k, hash functions, and polynomialsare contemplated.

The probability of collisions, p, for the Bloom filter can be calculatedas follows:

$\begin{matrix}{p = \left( {1 - {\mathbb{e}}^{({{- k}\;\frac{n}{m}})}} \right)^{k}} & (2)\end{matrix}$The commissioning device 212 may set the length of the bit array, m, asrequired to get a reasonably low collision probability in the steeringdata. The use of the Bloom filter allows the steering data to scale tosupport joining large numbers of the joining devices 212 to the meshnetwork 100, while maintaining a low probability of collisions. Thefollowing table shows for various values of n, and a probability ofcollisions p, when m=127 (i.e., 16 bytes):

n p    1 0.000    2 0.001    3 0.002    4 0.004    5 0.006   10 0.021  12 0.030   20 0.073   25 0.106   30 0.142   50 0.297  100 0.629  2000.916 1000 1.000

-   -   In order to join large numbers of joining devices 212 (e.g.,        1000), the commissioning device 210 may break the large set into        smaller sets, such that each smaller set has a lower probability        of collisions (false positives) in the steering data.

Managing Commissioning Data Across Mesh Network Partitions

FIG. 9 illustrates the mesh network 100 when a split or partitioning ofthe mesh network 100 has occurred. For instance, one of the routers 102may have lost power, resulting in a split of the mesh network 100 thatprevents one partition or fragment of the mesh network 100 fromcommunicating with another partition. On the other hand, radiointerference may have blocked communications in a portion of the meshnetwork 100 creating the split of the mesh network 100. When the meshnetwork 100 splits into two network fragments 902 and 904, the networkfragment 904 will choose a leader for the fragment 904, and may alsoaccept a commissioner for the fragment 904, which is different than thecommissioner for the fragment 902. Either, or both, of the fragments mayupdate network credentials during the split.

The mesh network 100 can cleanly and reliably partition into twodisparate fragments, which are fully functional networks whenconnectivity between the two partitions is severed. The partitions cancontinue any outstanding communications that are fully contained withina partition uninterrupted and can continue with normal key rotation. Thetwo mesh network partitions, formerly part of the single, mesh network100 can autonomously merge when connectivity between the two partitionsis restored.

If the commissioning credential is changed in the network fragment 902during the split, the commissioning credential change will be propagatedto the devices within the network fragment 904 when connectivity isrestored between the network fragments 902 and 904. In other words, insome embodiments, the commissioning credential is updated to the mostrecently adopted credential. However, if both network fragments 902 and904 authorize different commissioners, and receive new and differentcommissioning credentials during the split, it may be more difficult todetermine the most recent credential.

Resolution of commissioning credentials between any two mesh networkfragments, previously fragmented but now merging, propagates the mostrecently changed commissioning dataset to the devices in the meshnetwork 100. If there is a change on the fragment 902, the user believeshe or she is changing the commissioning credential on the entire meshnetwork 100 but, due to the partitioning, is only effectively changingthe credential on the fragment 902. At some later point in time, thefragments 902 and 904 merge. Because the original credential on thefragment 904 remained unchanged following the fragmentation, whereas thecredential on the fragment 902 was changed, the merged fragments assumethe new credential established on the fragment 902 during thefragmentation. If there is a change to the commissioning credential onthe fragment 904 during the split, the change made on the fragment 904,is propagated to the devices in the fragment 902 after the merge.

In the case where, two users change the commissioning credentials on therespective two fragments 902 and 904 during the split, the two userseach believe they are changing the commissioning credential on theentire mesh network 100. However, because the mesh network 100 isfragmented, both users are able to establish themselves as the networkcommissioner and change the commissioning credential on their respectivenetwork fragments. At some later point in time, the fragments 902 and904 merge, but it may not be known which leader, from the two fragments,will prevail as the leader for the merged mesh network. The leader thatprevails may not have a copy of the most recently changed commissioningcredentials. Since the commissioning credentials were changedindependently on the two fragments, the fragment with the most recentlyupdated commissioning credential takes precedence.

To determine which network credential of the two is the most recent, thecommissioning dataset includes timestamp information, as well as thecommissioning credential to resolve differences between thecommissioning credentials when the mesh network merges. The timestampinformation enables nodes in the mesh network 100 to determine the mostrecent update to the commissioning credentials in any fragment, andsynchronize the commissioning dataset in the devices in the mesh network100 to the most recently updated commissioning credentials.

The timestamp information includes a timestamp and an indication ofwhether the timestamp is traceable to Coordinated Universal Time (UTC),or is a relative time reference within the mesh network 100. Forexample, if the commissioning device 210 is a device, such as a smartphone or computer that has access to network time, such as using NetworkTime Protocol (NTP), access to time provided over a cellular network,timing information from a Global Positioning System (GPS) receiver, andso forth, the timestamp is traceable to UTC. By way of example and notlimitation, the timestamp being traceable to UTC, the timestamp isexpressed in units of seconds traceable to a known epoch, for example inunits of 2⁻¹⁵ seconds since the start of UNIX® time. When the timestampis UTC-traceable time, the indication, such as a U-bit, is set toindicate that the timestamp is traceable to UTC.

In the event that the commissioning device 210 is an embedded system,such as the native commissioner, which does not have access toUTC-traceable time, then the timestamp contains a relative time value.The relative time value is determined by using a previous value of thetimestamp, as provided by the leader 216, and adding an increment ofclock ticks to the previous timestamp to produce the timestamp for theupdated commissioning dataset. By way of example and not limitation, thetime ticks may be a 15-bit representation of sub-second time ticksderived from a 32 kHz clock of the native commissioner. When thetimestamp is the relative time, the indication, such as the U-bit is setto a value of zero, to indicate that the timestamp is expressed asrelative time. The increment of the timestamp for relative time allowschanges to the commissioning data to be detected. When the partitionsmerge, if one of the commissioning timestamps is traceable to UTC and asecond is relative time, the commissioning data with the UTC-traceabletimestamp will be given a higher priority.

In the event that the timestamps are identical between the commissioningcredentials, which were updated separately during the split, alternativemeans may be used to break the tie between the timestamps. In someembodiments, a lexicographical comparison (e.g., memcmp) may beperformed to determine which credential is more recent. In certainembodiments, network fragments may be prioritized, such that changes tothe commissioning credential on one network fragment will be adopted inthe event of the tie between the timestamps. For example, the networkfragment with the border router 202 may be deemed as the highestpriority fragment, such that if the network fragments 902 and 904 eachreceive commissioning credential changes that include identicaltimestamps, the change in the network fragment 902 change will beadopted in the event of identical timestamps values in the commissioningdataset of the two fragments.

Example methods 1000 through 1800 are described with reference torespective FIGS. 10-18 in accordance with one or more embodiments ofmesh network commissioning. Generally, any of the components, modules,methods, and operations described herein can be implemented usingsoftware, firmware, hardware (e.g., fixed logic circuitry), manualprocessing, or any combination thereof. Some operations of the examplemethods may be described in the general context of executableinstructions stored on computer-readable storage memory that is localand/or remote to a computer processing system, and implementations caninclude software applications, programs, functions, and the like.Alternatively or in addition, any of the functionality described hereincan be performed, at least in part, by one or more hardware logiccomponents, such as, and without limitation, Field-programmable GateArrays (FPGAs), Application-specific Integrated Circuits (ASICs),Application-specific Standard Products (ASSPs), System-on-a-chip systems(SoCs), Complex Programmable Logic Devices (CPLDs), and the like.

FIG. 10 illustrates example method(s) 1000 of mesh network commissioningas generally related to joining nodes in a mesh network. The order inwhich the method blocks are described are not intended to be construedas a limitation, and any number of the described method blocks can becombined in any order to implement a method, or an alternate method.

At block 1002, a beacon request is received from a joining device and,at block 1004, a beacon is transmitted from the joiner router to thejoining device, where the beacon provides an indication that a meshnetwork is available for joining. For example, a joiner router 214 in amesh network 100 receives a beacon request from a joining device 212 andthen transmits a beacon to the joining device, where the beacon providesan indication that the mesh network 100 is available for joining. Thetransmitted beacon is effective to enable the joining device 212 toestablish a local link between the joining device and the joiner router.

At block 1006, a message is received from the joining device requestingto join a mesh network. For example, a joiner router 214 in a meshnetwork 100 receives a message from a joining device 212 requesting tojoin the mesh network. The message that is received from the joiningdevice 212 can include an encrypted device identifier that is usable toauthenticate the joining device, which is authenticated using PasswordAuthenticated Key Exchange by Juggling (J-PAKE), and the authenticationis effective to establish a secure communication session between acommissioning device 210 of the mesh network 100 and the joining device.

At block 1008, the received message is forwarded to a commissioningdevice of the mesh network. For example, the joiner router 214 forwardsthe received message from the joining device 212 to the commissioningdevice 210 of the mesh network 100. In implementations, the message canbe received and forwarded using Datagram Transport Layer Security(DTLS), or using User Datagram Protocol (UDP). Additionally, the joinerrouter 214 forwarding the received message to the commissioning device210 can include forwarding the received message through one or morerouters of the mesh network 100 in a communication path between thejoiner router 214 and the commissioning device 210. In implementations,one of the routers may be a border router 202 that connects the meshnetwork 100 to an external network, and the commissioning device isattached to the external network.

At block 1010, an authorization is received for the joining device tojoin the mesh network and, at block 1012, network information istransmitted to the joining device, the network information effective toenable the joining device to join the mesh network 100. For example, thejoiner router 214 receives an authorization for the joining device 212to join the mesh network 100 from the commissioning device 210, and thejoiner router 214 transmits network information to the joining device,where the network information is effective to enable the joining device212 to join the mesh network.

FIG. 11 illustrates example method(s) 1100 of mesh network commissioningas generally related to joining nodes in a mesh network. The order inwhich the method blocks are described are not intended to be construedas a limitation, and any number of the described method blocks can becombined in any order to implement a method, or an alternate method.

At block 1102, a beacon request is received from a joining device and,at block 1104, a beacon is transmitted from the joiner router to thejoining device, where the beacon provides an indication that a meshnetwork is available for joining. For example, a joiner router 214 in amesh network 100 receives a beacon request from a joining device 212 andthen transmits a beacon to the joining device, where the beacon providesan indication that the mesh network 100 is available for joining. Thebeacon includes a network name of the mesh network 100 and steering datathat indicates one or more joining devices 212 that are allowed to jointhe mesh network. The transmitted beacon is effective to enable thejoining device to establish a local link between the joining device andthe joiner router.

At block 1106, a DTLS-ClientHello message is received from the joiningdevice requesting to join the mesh network and, at block 1108, thereceived DTLS-ClientHello message is encapsulated in a DTLS RelayReceive Notification message. For example, the joiner router receives aDTLS-ClientHello message from the joining device 212 requesting to jointhe mesh network 100 and encapsulates the received DTLS-ClientHellomessage in a DTLS Relay Receive Notification message. TheDTLS-ClientHello message can be received from the joining device 212utilizing User Datagram Protocol (UDP), and the DTLS Relay ReceiveNotification message includes an address of the joining device 212, anaddress of the joiner router 214, and the received DTLS-ClientHellomessage.

At block 1110, the DTLS Relay Receive Notification message istransmitted to a commissioning device of the mesh network. For example,the joiner router transmits the DTLS Relay Receive Notification messageto the commissioning device 210 of the mesh network 100. Inimplementations, the joiner router may apply rate limiting to thetransmission of DTLS Relay Receive Notification messages transmitted tothe commissioning device 210 from joining devices.

At block 1112, a DTLS Relay Transmit Notification message is receivedfrom the commissioning device and, at block 1114, content of the DTLSRelay Transmit Notification message is transmitted to the joiningdevice, where the content enables the joining device to join the meshnetwork. For example, the joiner router receives a DTLS Relay TransmitNotification message from the commissioning device 210 and transmitscontent of the DTLS Relay Transmit Notification message to the joiningdevice 212, where the content enables the joining device to join themesh network 100 and the content is effective to establish a securecommunication session between the commissioning device 210 and thejoining device. The DTLS Relay Transmit Notification message includesthe address of the joining device 212, the address of the joiner router214, and a DTLS-HelloVerify message.

At block 1116, an indication is received from the commissioning devicethat the joining device is to be entrusted to receive networkcredentials for the mesh network and, at block 1118, a Key EncryptionKey (KEK) is received that is shared between the commissioning deviceand the joining device. For example, the joiner router 214 receives anindication from the commissioning device 210 that the joining device 212is to be entrusted to receive network credentials for the mesh network100, as well as receives a Key Encryption Key (KEK) that is sharedbetween the commissioning device 210 and the joining device.

At block 1120, the network credentials are transmitted to the joiningdevice using the KEK to secure communication of the network credentials.For example, the joiner router transmits the network credentials, whichinclude a network master key, to the joining device 212 using the KEK tosecure communication of the network credentials, and the securecommunication session is usable to perform provisioning of the joiningdevice.

FIG. 12 illustrates example method(s) 1200 of mesh network commissioningas generally related to establishing a commissioning session in a meshnetwork. The order in which the method blocks are described are notintended to be construed as a limitation, and any number of thedescribed method blocks can be combined in any order to implement amethod, or an alternate method.

At block 1202, the availability of a mesh network is advertised forcommissioning devices and, at block 1204, a petition is received from acommissioning device to become the commissioner for a mesh network. Forexample, a border router 202 of a mesh network 100 advertises theavailability of the mesh network for commissioning devices, and receivesa petition from a commissioning device 210 to become the commissionerfor the mesh network. The petition can be received from thecommissioning device 210 in response to advertising the availability ofthe mesh network. The commissioning device 210 to can also request tosecurely connect to the border router 202, and the secure connection isestablished using Datagram Transport Layer Security (DTLS).Additionally, the commissioning device 210 and the border router 202 cancommunicate over a network other than the mesh network, such as over aWi-Fi network or an Ethernet network.

At block 1206, the received petition is transmitted to a leader deviceof the mesh network and, at block 1208, Receive a response to thepetition from the leader device, the response indicating acceptance orrejection of the petition. For example, the border router 202 transmitsthe received petition from the commissioning device 210 to a leaderdevice 216 of the mesh network 100 and, then receives a response to thepetition from the leader device 216, where the response indicatesacceptance or rejection of the petition. The advertising can beperformed using a service discovery protocol that is Multicast DomainName System (mDNS).

At block 1210, an indication of the acceptance or the rejection of thepetition is transmitted to the commissioning device. For example, theborder router 202 transmits an indication of the acceptance or therejection of the petition to the commissioning device 210, andacceptance of the petition by the leader device 216 authorizes thecommissioning device 210 to be the commissioner for the mesh network.The acceptance of the petition establishes a secure commissioningsession, and the acceptance of the petition enables the leader device216 to update an internal state that tracks an active commissioner forthe mesh network, set a permit-join flag for the mesh network to true,and propagate a commissioning dataset within the mesh network.

At block 1212, an identity of the commissioning device is registeredwith the border router to establish a secure commissioning communicationsession. For example, the border router 202 registers the identity ofthe commissioning device 210 with the border router 202 to establish thesecure commissioning communication session. Registering the identity ofthe commissioning device 210 includes providing an encryptedcommissioning credential to the border router 202, wherein the encryptedcommissioning credential was derived from a commissioning credentialinput to the commissioning device 210 by a user. The border router 202includes a copy of the encrypted commissioning credential usable toauthenticate the commissioning device 210 to the mesh network 100, wherethe copy of the encrypted commissioning credential was previouslyderived from the commissioning credential, the commissioning credentialwas injected into the leader device 216 of the mesh network 100 thatderived the copy of the encrypted commissioning credential, and theleader device 216 communicated the copy of the encrypted commissioningcredential securely to the border router.

FIG. 13 illustrates example method(s) 1300 of mesh network commissioningas generally related to establishing a commissioning session in a meshnetwork. The order in which the method blocks are described are notintended to be construed as a limitation, and any number of thedescribed method blocks can be combined in any order to implement amethod, or an alternate method.

At block 1302, a petition is received to accept a commissioning deviceas a commissioner to commission joining devices to join the meshnetwork. For example, a leader device 216 of the mesh network 100receives a petition to accept a commissioning device 210 as acommissioner to commission joining devices 212 to join the mesh network.The petition is received from a border router 202 that is connected tothe leader device 216 over the mesh network, and the commissioningdevice 210 is connected to the border router 202 over another network,such as a Wi-Fi network or an Ethernet network. Further, the petition isreceived using a secure communication session between the border router202 and the commissioning device 210, where the secure communicationsession is established using Datagram Transport Layer Security (DTLS).The leader device 216 can receive the petition over the mesh network 100from the commissioning device 210 that includes a network interface forthe mesh network, and the commissioning device 210 petitions to be thecommissioner by setting a native commissioner bit to true in a networkbeacon. The commissioning device 210 can communicate the petition usingan IEEE 802.15.4 interface over a Constrained Application Protocol(CoAP) port to the leader device.

At block 1304, a determination is made as to whether to accept or rejectthe received petition and, at block 1306, a response is transmitted tothe commissioning device with an indication as to whether the receivedpetition is accepted or rejected. For example, the leader device 216determines whether to accept or reject the received petition and, thentransmits a response to the commissioning device 210 with an indicationas to whether the received petition is accepted or rejected. The leaderdevice 216 determines whether to accept or reject the received petitionbased on ensuring that there is a single active commissioner for themesh network 100.

At block 1308, an internal state that tracks an active commissioner forthe mesh network is updated in response to a determination of thereceived petition being accepted. For example, the leader device 216updates an internal state that tracks an active commissioner for themesh network.

At block 1310, a command is received from the commissioning device toinitiate a joining mode for the mesh network and, at block 1312, acommissioning dataset is propagated within the mesh network. Forexample, the leader device 216 receives a command from the commissioningdevice 210 to initiate a joining mode for the mesh network 100, andpropagates a commissioning dataset within the mesh network. Thecommissioning dataset includes a commissioner session identifier, acommissioner timestamp, an encrypted commissioner credential, and asecurity policy that indicates which security-related operations areallowed in the mesh network. When the commissioner is active on the meshnetwork 100, the commissioning dataset further comprises a location ofthe border router 202. When a joining mode is enabled in the meshnetwork, the commissioning data set further comprises steering data thatindicates which of the joining devices 212 are allowed to join the meshnetwork.

At block 1314, an encrypted commissioning credential is derived from acommissioning credential that was injected into the leader device 216during commissioning of the leader device. For example, the leaderdevice 216 derives an encrypted commissioning credential from acommissioning credential that was injected into the leader device duringcommissioning of the leader device. The derivation of the encryptedcommissioning credential is performed by applying a key derivationfunction, where the key derivation function performs a hashing multipletimes using a Cipher-based Message Authentication Code (CMAC). Inimplementations, the commissioning credential is a human-scaledpassphrase, and the derivation of the encrypted commissioning credentialis effective to stretch the length of the commissioning credential.

At block 1316, a copy of the encrypted commissioning credential is sentto the border router, enabling the border router to authenticate thecommissioning device to the mesh network. For example, the leader device216 sends a copy of the encrypted commissioning credential to the borderrouter 202, enabling the border router 202 to authenticate thecommissioning device 210 to the mesh network.

FIG. 14 illustrates example method(s) 1400 of mesh network commissioningas generally related to managing multiple commissioning sessions in amesh network. The order in which the method blocks are described are notintended to be construed as a limitation, and any number of thedescribed method blocks can be combined in any order to implement amethod, or an alternate method.

At block 1402, a secure commissioning communication session isestablished between a commissioning device and a border router of a meshnetwork. For example, a commissioning device 210 establishes a securecommissioning communication session between the commissioning device anda border router 202 of a mesh network 100 to securely establish networkcommunication sessions for joining one or more joining devices 212 tothe mesh network. The commissioning device 210 establishes the securecommissioning communication session by sending a petition from thecommissioning device to a leader device 216 of the mesh network 100 torequest acceptance of the commissioning device 210 as an activecommissioner for the mesh network, and the commissioning device receivesan indication of an acceptance of the petition from the leader device.

At block 1404, joining for the mesh network is activated. For example,the commissioning device activates joining for the mesh network byinitiating a joining mode that causes one or more routers in the meshnetwork to advertise the mesh network is accepting joining requests. Thecommissioning device 210 can also activate joining for the mesh network100 by sending a management message to a leader device 216 to make themesh network joinable, where the management message enables the leaderdevice 216 to update network data for the mesh network. The network datais propagated to one or more router devices in the mesh network, wherethe network data includes an indication that the mesh network 100 isavailable for joining. The network data can be broadcast in a beacon bythe router devices, and the management message includes steering datathat indicates one or more joining devices 212 that the commissioningdevice 210 is configured to join to the mesh network.

At block 1406, a request is received from one of the joining devices tojoin the mesh network. For example, the commissioning device 210receives a request from one of the joining devices 212 to join the meshnetwork 100, and the request may be received via a joiner router. Thecommissioning device 210 can transmit, to the joiner router 214, anindication that the joining device 212 is to be entrusted to receivenetwork credentials for the mesh network 100 and a Key Encryption Key(KEK), which is shared between the commissioning device 210 and thejoining device. The indication that is transmitted to the joiner router214 enables the joiner router to use the received KEK to securelytransmit the network credentials to the joining device 212 to commissionthe joining device to the mesh network. The request received from thejoining device 212 can include an encrypted device identifier of thejoining device, where the encrypted device identifier is derived from adevice identifier of the joining device using Password AuthenticationKey Exchange by Juggling (J-PAKE).

At block 1408, a secure joiner communication session is establishedbetween the commissioning device and the joining device. For example,the commissioning device 210 establishes a secure joiner communicationsession between the commissioning device and the joining device 212. Thecommissioning device 210 can establish the secure joiner communicationsession by determining that the encrypted device identifier receivedfrom the joining device 212 matches an encrypted device identifierderived by the commissioning device 210 from a copy of the deviceidentifier that is received as an input to the commissioning device froma user, and the commissioning device 210 uses the encrypted deviceidentifier as a shared secret to secure the joiner communicationsession.

At block 1410, the joining device is authenticated using an encrypteddevice identifier and, at block 1412, the joining device is joined tothe mesh network. For example, the commissioning device 210authenticates the joining device 212 using an encrypted deviceidentifier, and joins the joining device 212 to the mesh network.

FIG. 15 illustrates example method(s) 1500 of mesh network commissioningas generally related to provisioning a joining device in a mesh network.The order in which the method blocks are described are not intended tobe construed as a limitation, and any number of the described methodblocks can be combined in any order to implement a method, or analternate method.

At block 1502, a commissioning communication session is establishedbetween a commissioning device and a border router of a mesh network.For example, the commissioning device 210 of the mesh network 100establishes a commissioning communication session between thecommissioning device 210 and a border router 202 of the mesh network. Atblock 1504, a joiner communication session is established between thejoining device and the commissioning device. For example, thecommissioning device 210 of the mesh network 100 establishes a joinercommunication session between the joining device 212 and thecommissioning device.

At block 1506, commissioning information is sent to the joining device,where the commissioning information is usable by the joining device tojoin the mesh network. For example, the commissioning device 210 of themesh network 100 sends the joining device the commissioning informationthat the joining device 212 can use to join the mesh network.

At block 1508, an indication of a location of a commissioner applicationis received from the joining device and, at 1510, the commissionerapplication is retrieved utilizing the received indication. For example,the commissioning device 210 receives a location indication of thecommissioner application from the joining device, where the receivedlocation indication can be a Uniform Resource Locator (URL) and thecommissioning application retrieves the commissioner application overthe Internet from a cloud service. The commissioning device 210 can alsouse the received URL to determine if the commissioner application isstored in a memory of the commissioning device.

At block 1512, the commissioner application is executed to provision thejoining device. For example, the commissioning device 210 utilizes thecommissioner application to provision the joining device. Theprovisioning of the joining device 212 can include updating software onthe joining device, linking the joining device to a user account on acloud service, and/or configuring the joining device, where theconfiguration is a local configuration related to other devices in themesh network. At block 1514, commissioning of the joining device isfinalized, enabling the joining device to join the mesh network. Forexample, the commissioning device 210 of the mesh network 100 finalizesthe commissioning, enabling the joining device 212 to join the meshnetwork.

FIG. 16 illustrates example method(s) 1600 of mesh network commissioningas generally related to hunting and steering in a mesh network. Theorder in which the method blocks are described are not intended to beconstrued as a limitation, and any number of the described method blockscan be combined in any order to implement a method, or an alternatemethod.

At block 1602, steering data for a mesh network is determined, where thesteering data includes an indication of a device identifier associatedwith a device that is allowed to join the mesh network. For example, thecommissioning device 210 of the mesh network 100 determines the steeringdata for the mesh network, and the steering data includes an indicationof a device identifier associated with a device that is allowed to jointhe mesh network. In implementations, the steering data is a 16-bitCyclic Redundancy Check (CRC16) of the device identifier, which is anIEEE 64-bit Extended Unique Identifier (EUI-64). The commissioningdevice 210 may also determine the steering data for the mesh network 100by determining the steering data for additional device identifiersassociated with additional devices that are allowed to join the meshnetwork.

At block 1604, the steering data is propagated from the commissioningdevice for the mesh network to routers in the mesh network. For example,the commissioning device 210 of the mesh network 100 propagates thesteering data to routers in the mesh network, and the steering dataindicates that a commissioner is active on the mesh network. Propagatingthe steering data enables the routers 102 to transmit the steering datain a beacon message, and the steering data is effective to enable thedevice associated with the device identifier to identify that the deviceis allowed to join the mesh network. The commissioning device 210propagating the steering data is effective to enable the device todistinguish the mesh network from other networks, where the othernetworks are IEEE 802.15.4 networks.

FIG. 17 illustrates example method(s) 1700 of mesh network commissioningas generally related to hunting and steering in a mesh network. Theorder in which the method blocks are described are not intended to beconstrued as a limitation, and any number of the described method blockscan be combined in any order to implement a method, or an alternatemethod.

At block 1702, steering data for a mesh network is determined, where thesteering data includes an indication of a device identifier associatedwith a device that is allowed to join the mesh network, and theindication is represented as a set of values in a Bloom filter thatrepresent the device identifier. For example, the commissioning device210 of the mesh network 100 determines the steering data for the meshnetwork, and the steering data includes an indication represented as aset of values in a Bloom filter that represent the device identifier. Inimplementations, the commissioning device 210 determines the steeringdata by applying a first hash function to the device identifier toproduce a first hash value, and applying a second hash function to thedevice identifier to produce a second hash value. The device identifiercan be an IEEE 64-bit Extended Unique Identifier (EUI-64), where thedevice identifier is the least significant twenty-four bits of theEUI-64. In implementations, the first and second hash functions areCyclic Redundancy Checks (CRC), with the first hash function being aCRC16-CCITT, and the second hash function being a CRC16-ANSI.

The commissioning device 210 then performs a modulo operation on thefirst hash value to determine a first bit field location in the Bloomfilter, and performs the modulo operation on the second hash value todetermine a second bit field location in the Bloom filter. A divisor forthe modulo operation can be the length of a bit array of the Bloomfilter. The commissioning device 210 can set a value in the first bitfield location of the Bloom filter to one, and set the value in thesecond bit field location of the Bloom filter to one. The commissioningdevice 210 can set all of the bit field values in the steering data to avalue of one to indicate that the mesh network is joinable for anydevice. Alternatively, the commissioning device 210 can set the bitfield values of the steering data to a value of zero, which disablesjoining for the mesh network.

At block 1704, the steering data is propagated from the commissioningdevice for the mesh network to routers in the mesh network. For example,the commissioning device 210 of the mesh network 100 propagates thesteering data to routers in the mesh network, and the steering dataindicates that a commissioner is active on the mesh network. Propagatingthe steering data enables the routers 102 to transmit the steering datain a beacon message, and the steering data enables the device associatedwith the device identifier to compare the set of values in the Bloomfilter to a second set of values determined at the device to identifythat the device is allowed to join the mesh network.

FIG. 18 illustrates example method(s) 1800 of mesh network commissioningas generally related to partitioning nodes in a mesh network. The orderin which the method blocks are described are not intended to beconstrued as a limitation, and any number of the described method blockscan be combined in any order to implement a method, or an alternatemethod.

At block 1802, a commissioning dataset is received at a node device inthe mesh network. For example, a node device (e.g., a router 102 or anend device 106) at a node in a mesh network 100 receives a commissioningdataset that includes a received timestamp, a commissioning credential,a network name of the mesh network, and a security policy that indicateswhich security-related operations are allowed in the mesh network. Thereceived timestamp includes a time value, and an indication that thetime value is traceable to Coordinated Universal Time (UTC).

At block 1804, the received timestamp that is included in the receivedcommissioning dataset is compared with a stored timestamp included in acommissioning dataset that is stored in the node device. For example,the node device in the mesh network 100 compares the received timestampin the received commissioning dataset with a stored timestamp includedin the commissioning dataset that is stored in the node device. Inimplementations, the node device and the leader device were previouslycommissioned to the mesh network, and the previous commissioning storedidentical commissioning datasets in the node device and the leaderdevice. The stored commissioning dataset in the node device can beupdated after a split of the mesh network that stops communicationbetween the node device and the leader device over the mesh network. Thesplit separates the mesh network and a first partition of the meshnetwork includes the leader device, and a second partition of the meshnetwork includes the node device. The node device can receive thecommissioning dataset after a merge of the first partition and thesecond partition of the mesh network, where the merge reestablishes acommunication path between the node device and the leader device overthe mesh network.

At block 1806, a determination is made as to whether the storedtimestamp that is included in the commissioning dataset stored in thenode device is more recent than the timestamp included in the receivedcommissioning dataset. For example, based on the comparison (at block1806), the node device determines whether the stored timestamp that isincluded in the commissioning dataset stored in the node device is morerecent than the timestamp included in the received commissioningdataset.

If the stored timestamp is more recent than the received timestamp(i.e., “Yes” from 1806), then at 1808, a message is transmitted to aleader device of the mesh network, the message including the storedcommissioning dataset. For example, the node device in the mesh networktransmits a message that includes the stored commissioning dataset to aleader device of the mesh network 100. The transmitted message enablesthe leader device to accept the stored commissioning dataset as the mostrecent commissioning dataset for the mesh network, and propagate thestored commissioning dataset to the mesh network. Alternatively, if thereceived timestamp is more recent than the stored timestamp (i.e., “No”from 1806), then at 1810, the stored commissioning dataset is updated tomatch the received commissioning dataset. For example, the node devicein the mesh network updates the stored commissioning dataset to matchthe received commissioning dataset

FIG. 19 illustrates an example environment 1900 in which the meshnetwork 100 (as described with reference to FIG. 1), and embodiments ofmesh network commissioning can be implemented. Generally, theenvironment 1900 includes the mesh network 100 implemented as part of asmart-home or other type of structure with any number of mesh networkdevices that are configured for communication in a mesh network. Forexample, the mesh network devices can include a thermostat 1902, hazarddetectors 1904 (e.g., for smoke and/or carbon monoxide), cameras 1906(e.g., indoor and outdoor), lighting units 1908 (e.g., indoor andoutdoor), and any other types of mesh network devices 1910 that areimplemented inside and/or outside of a structure 1912 (e.g., in asmart-home environment). In this example, the mesh network devices canalso include any of the previously described devices, such as acommissioning device 210, a border router 202, a joiner router 214, aswell as any of the devices implemented as a router 102, an end device106, and/or a joining device 212.

In the environment 1900, any number of the mesh network devices can beimplemented for wireless interconnection to wirelessly communicate andinteract with each other. The mesh network devices are modular,intelligent, multi-sensing, network-connected devices, that canintegrate seamlessly with each other and/or with a central server or acloud-computing system to provide any of a variety of useful smart-homeobjectives and implementations. An example of a mesh network device thatcan be implemented as any of the devices described herein is shown anddescribed with reference to FIG. 20.

In implementations, the thermostat 1902 may include a Nest® LearningThermostat that detects ambient climate characteristics (e.g.,temperature and/or humidity) and controls a HVAC system in thesmart-home environment. The learning thermostat 1902 and other smartdevices “learn” by capturing occupant settings to the devices. Forexample, the thermostat learns preferred temperature set-points formornings and evenings, and when the occupants of the structure areasleep or awake, as well as when the occupants are typically away or athome.

A hazard detector 1904 can be implemented to detect the presence of ahazardous substance or a substance indicative of a hazardous substance(e.g., smoke, fire, or carbon monoxide). In examples of wirelessinterconnection, a hazard detector 1904 may detect the presence ofsmoke, indicating a fire in the structure, in which case the hazarddetector that first detects the smoke can broadcast a low-power wake-upsignal to all of the connected mesh network devices. The other hazarddetectors 1904 can then receive the broadcast wake-up signal andinitiate a high-power state for hazard detection and to receive wirelesscommunications of alert messages. Further, the lighting units 1908 canreceive the broadcast wake-up signal and activate in the region of thedetected hazard to illuminate and identify the problem area. In anotherexample, the lighting units 1908 may activate in one illumination colorto indicate a problem area or region in the structure, such as for adetected fire or break-in, and activate in a different illuminationcolor to indicate safe regions and/or escape routes out of thestructure.

In various configurations, the mesh network devices 1910 can include anentryway interface device that functions in coordination with anetwork-connected door lock system, and that detects and responds to aperson's approach to or departure from a location, such as an outer doorof the structure 1912. The entryway interface device can interact withthe other mesh network devices based on whether someone has approachedor entered the smart-home environment. An entryway interface device cancontrol doorbell functionality, announce the approach or departure of aperson via audio or visual means, and control settings on a securitysystem, such as to activate or deactivate the security system whenoccupants come and go. The mesh network devices 1910 can also includeother sensors and detectors, such as to detect ambient lightingconditions, detect room-occupancy states (e.g., with an occupancysensor), and control a power and/or dim state of one or more lights. Insome instances, the sensors and/or detectors may also control a powerstate or speed of a fan, such as a ceiling fan. Further, the sensorsand/or detectors may detect occupancy in a room or enclosure, andcontrol the supply of power to electrical outlets or devices, such as ifa room or the structure is unoccupied.

The mesh network devices 1910 may also include connected appliancesand/or controlled systems, such as refrigerators, stoves and ovens,washers, dryers, air conditioners, pool heaters, irrigation systems,security systems, and so forth, as well as other electronic andcomputing devices, such as televisions, entertainment systems,computers, intercom systems, garage-door openers, ceiling fans, controlpanels, and the like. When plugged in, an appliance, device, or systemcan announce itself to the mesh network as described above, and can beautomatically integrated with the controls and devices of the meshnetwork, such as in the smart-home. It should be noted that the meshnetwork devices 1910 may include devices physically located outside ofthe structure, but within wireless communication range, such as a devicecontrolling a swimming pool heater or an irrigation system.

As described above, the mesh network 100 includes a border router 202that interfaces for communication with an external network, outside themesh network 100. The border router 202 connects to an access point 204,which connects to the communication network 206, such as the Internet. Acloud service 208, which is connected via the communication network 206,provides services related to and/or using the devices within the meshnetwork 100. By way of example, the cloud service 208 can includeapplications for connecting end user devices, such as smart phones,tablets, and the like, to devices in the mesh network, processing andpresenting data acquired in the mesh network 100 to end users, linkingdevices in one or more mesh networks 100 to user accounts of the cloudservice 208, provisioning and updating devices in the mesh network 100,and so forth. For example, a user can control the thermostat 1902 andother mesh network devices in the smart-home environment using anetwork-connected computer or portable device, such as a mobile phone ortablet device. Further, the mesh network devices can communicateinformation to any central server or cloud-computing system via theborder router 202 and the access point 204. The data communications canbe carried out using any of a variety of custom or standard wirelessprotocols (e.g., Wi-Fi, ZigBee for low power, 6LoWPAN, etc.) and/or byusing any of a variety of custom or standard wired protocols (CAT6Ethernet, HomePlug, etc.).

Any of the mesh network devices in the mesh network 100 can serve aslow-power and communication nodes to create the mesh network 100 in thesmart-home environment. Individual low-power nodes of the network canregularly send out messages regarding what they are sensing, and theother low-powered nodes in the environment—in addition to sending outtheir own messages—can repeat the messages, thereby communicating themessages from node to node (i.e., from device to device) throughout themesh network. The mesh network devices can be implemented to conservepower, particularly when battery-powered, utilizing low-poweredcommunication protocols to receive the messages, translate the messagesto other communication protocols, and send the translated messages toother nodes and/or to a central server or cloud-computing system. Forexample, an occupancy and/or ambient light sensor can detect an occupantin a room as well as measure the ambient light, and activate the lightsource when the ambient light sensor detects that the room is dark andwhen the occupancy sensor detects that someone is in the room. Further,the sensor can include a low-power wireless communication chip (e.g., aZigBee chip) that regularly sends out messages regarding the occupancyof the room and the amount of light in the room, including instantaneousmessages coincident with the occupancy sensor detecting the presence ofa person in the room. As mentioned above, these messages may be sentwirelessly, using the mesh network, from node to node (i.e., smartdevice to smart device) within the smart-home environment as well asover the Internet to a central server or cloud-computing system.

In other configurations, various ones of the mesh network devices canfunction as “tripwires” for an alarm system in the smart-homeenvironment. For example, in the event a perpetrator circumventsdetection by alarm sensors located at windows, doors, and other entrypoints of the structure or environment, the alarm could still betriggered by receiving an occupancy, motion, heat, sound, etc. messagefrom one or more of the low-powered mesh nodes in the mesh network. Inother implementations, the mesh network can be used to automaticallyturn on and off the lighting units 1908 as a person transitions fromroom to room in the structure. For example, the mesh network devices candetect the person's movement through the structure and communicatecorresponding messages via the nodes of the mesh network. Using themessages that indicate which rooms are occupied, other mesh networkdevices that receive the messages can activate and/or deactivateaccordingly. As referred to above, the mesh network can also be utilizedto provide exit lighting in the event of an emergency, such as byturning on the appropriate lighting units 1908 that lead to a safe exit.The light units 1908 may also be turned-on to indicate the directionalong an exit route that a person should travel to safely exit thestructure.

The various mesh network devices may also be implemented to integrateand communicate with wearable computing devices, such as may be used toidentify and locate an occupant of the structure, and adjust thetemperature, lighting, sound system, and the like accordingly. In otherimplementations, RFID sensing (e.g., a person having an RFID bracelet,necklace, or key fob), synthetic vision techniques (e.g., video camerasand face recognition processors), audio techniques (e.g., voice, soundpattern, vibration pattern recognition), ultrasound sensing/imagingtechniques, and infrared or near-field communication (NFC) techniques(e.g., a person wearing an infrared or NFC-capable smartphone), alongwith rules-based inference engines or artificial intelligence techniquesthat draw useful conclusions from the sensed information as to thelocation of an occupant in the structure or environment.

In other implementations, personal comfort-area networks, personalhealth-area networks, personal safety-area networks, and/or other suchhuman-facing functionalities of service robots can be enhanced bylogical integration with other mesh network devices and sensors in theenvironment according to rules-based inferencing techniques orartificial intelligence techniques for achieving better performance ofthese functionalities. In an example relating to a personal health-area,the system can detect whether a household pet is moving toward thecurrent location of an occupant (e.g., using any of the mesh networkdevices and sensors), along with rules-based inferencing and artificialintelligence techniques. Similarly, a hazard detector service robot canbe notified that the temperature and humidity levels are rising in akitchen, and temporarily raise a hazard detection threshold, such as asmoke detection threshold, under an inference that any small increasesin ambient smoke levels will most likely be due to cooking activity andnot due to a genuinely hazardous condition. Any service robot that isconfigured for any type of monitoring, detecting, and/or servicing canbe implemented as a mesh node device on the mesh network, conforming tothe wireless interconnection protocols for communicating on the meshnetwork.

The mesh network devices 1910 may also include a smart alarm clock foreach of the individual occupants of the structure in the smart-homeenvironment. For example, an occupant can customize and set an alarmdevice for a wake time, such as for the next day or week. Artificialintelligence can be used to consider occupant responses to the alarmswhen they go off and make inferences about preferred sleep patterns overtime. An individual occupant can then be tracked in the mesh networkbased on a unique signature of the person, which is determined based ondata obtained from sensors located in the mesh network devices, such assensors that include ultrasonic sensors, passive IR sensors, and thelike. The unique signature of an occupant can be based on a combinationof patterns of movement, voice, height, size, etc., as well as usingfacial recognition techniques.

In an example of wireless interconnection, the wake time for anindividual can be associated with the thermostat 1902 to control theHVAC system in an efficient manner so as to pre-heat or cool thestructure to desired sleeping and awake temperature settings. Thepreferred settings can be learned over time, such as by capturing thetemperatures set in the thermostat before the person goes to sleep andupon waking up. Collected data may also include biometric indications ofa person, such as breathing patterns, heart rate, movement, etc., fromwhich inferences are made based on this data in combination with datathat indicates when the person actually wakes up. Other mesh networkdevices can use the data to provide other smart-home objectives, such asadjusting the thermostat 1902 so as to pre-heat or cool the environmentto a desired setting, and turning-on or turning-off the lights 1908.

In implementations, the mesh network devices can also be utilized forsound, vibration, and/or motion sensing such as to detect running waterand determine inferences about water usage in a smart-home environmentbased on algorithms and mapping of the water usage and consumption. Thiscan be used to determine a signature or fingerprint of each water sourcein the home, and is also referred to as “audio fingerprinting waterusage.” Similarly, the mesh network devices can be utilized to detectthe subtle sound, vibration, and/or motion of unwanted pests, such asmice and other rodents, as well as by termites, cockroaches, and otherinsects. The system can then notify an occupant of the suspected pestsin the environment, such as with warning messages to help facilitateearly detection and prevention.

FIG. 20 illustrates an example mesh network device 2000 that can beimplemented as any of the mesh network devices in a mesh network inaccordance with one or more embodiments of mesh network commissioning asdescribed herein. The device 2000 can be integrated with electroniccircuitry, microprocessors, memory, input output (I/O) logic control,communication interfaces and components, as well as other hardware,firmware, and/or software to implement the device in a mesh network.Further, the mesh network device 2000 can be implemented with variouscomponents, such as with any number and combination of differentcomponents as further described with reference to the example deviceshown in FIG. 21.

In this example, the mesh network device 2000 includes a low-powermicroprocessor 2002 and a high-power microprocessor 2004 (e.g.,microcontrollers or digital signal processors) that process executableinstructions. The device also includes an input-output (I/O) logiccontrol 2006 (e.g., to include electronic circuitry). Themicroprocessors can include components of an integrated circuit,programmable logic device, a logic device formed using one or moresemiconductors, and other implementations in silicon and/or hardware,such as a processor and memory system implemented as a system-on-chip(SoC). Alternatively or in addition, the device can be implemented withany one or combination of software, hardware, firmware, or fixed logiccircuitry that may be implemented with processing and control circuits.The low-power microprocessor 2002 and the high-power microprocessor 2004can also support one or more different device functionalities of thedevice. For example, the high-power microprocessor 2004 may executecomputationally intensive operations, whereas the low-powermicroprocessor 2002 may manage less complex processes such as detectinga hazard or temperature from one or more sensors 2008. The low-powerprocessor 2002 may also wake or initialize the high-power processor 2004for computationally intensive processes.

The one or more sensors 2008 can be implemented to detect variousproperties such as acceleration, temperature, humidity, water, suppliedpower, proximity, external motion, device motion, sound signals,ultrasound signals, light signals, fire, smoke, carbon monoxide,global-positioning-satellite (GPS) signals, radio-frequency (RF), otherelectromagnetic signals or fields, or the like. As such, the sensors2008 may include any one or a combination of temperature sensors,humidity sensors, hazard-related sensors, other environmental sensors,accelerometers, microphones, optical sensors up to and including cameras(e.g., charged coupled-device or video cameras, active or passiveradiation sensors, GPS receivers, and radio frequency identificationdetectors. In implementations, the mesh network device 2000 may includeone or more primary sensors, as well as one or more secondary sensors,such as primary sensors that sense data central to the core operation ofthe device (e.g., sensing a temperature in a thermostat or sensing smokein a smoke detector), while the secondary sensors may sense other typesof data (e.g., motion, light or sound), which can be used forenergy-efficiency objectives or smart-operation objectives.

The mesh network device 2000 includes a memory device controller 2010and a memory device 2012, such as any type of a nonvolatile memoryand/or other suitable electronic data storage device. The mesh networkdevice 2000 can also include various firmware and/or software, such asan operating system 2014 that is maintained as computer executableinstructions by the memory and executed by a microprocessor. The devicesoftware may also include a commissioning application 2106 thatimplements embodiments of mesh network commissioning. The mesh networkdevice 2000 also includes a device interface 2018 to interface withanother device or peripheral component, and includes an integrated databus 2020 that couples the various components of the mesh network devicefor data communication between the components. The data bus in the meshnetwork device may also be implemented as any one or a combination ofdifferent bus structures and/or bus architectures.

The device interface 2018 may receive input from a user and/or provideinformation to the user (e.g., as a user interface), and a receivedinput can be used to determine a setting. The device interface 2018 mayalso include mechanical or virtual components that respond to a userinput. For example, the user can mechanically move a sliding orrotatable component, or the motion along a touchpad may be detected, andsuch motions may correspond to a setting adjustment of the device.Physical and virtual movable user-interface components can allow theuser to set a setting along a portion of an apparent continuum. Thedevice interface 2018 may also receive inputs from any number ofperipherals, such as buttons, a keypad, a switch, a microphone, and animager (e.g., a camera device).

The mesh network device 2000 can include network interfaces 2022, suchas a mesh network interface for communication with other mesh networkdevices in a mesh network, and an external network interface for networkcommunication, such as via the Internet. The mesh network device 2000also includes wireless radio systems 2024 for wireless communicationwith other mesh network devices via the mesh network interface and formultiple, different wireless communications systems. The wireless radiosystems 2024 may include Wi-Fi, Bluetooth™, Mobile Broadband, and/orpoint-to-point IEEE 802.15.4. Each of the different radio systems caninclude a radio device, antenna, and chipset that is implemented for aparticular wireless communications technology. The mesh network device2000 also includes a power source 2026, such as a battery and/or toconnect the device to line voltage. An AC power source may also be usedto charge the battery of the device.

FIG. 21 illustrates an example system 2100 that includes an exampledevice 2102, which can be implemented as any of the mesh network devicesthat implement embodiments of mesh network commissioning as describedwith reference to the previous FIGS. 1-20. The example device 2102 maybe any type of computing device, client device, mobile phone, tablet,communication, entertainment, gaming, media playback, and/or other typeof device. Further, the example device 2102 may be implemented as anyother type of mesh network device that is configured for communicationon a mesh network, such as a thermostat, hazard detector, camera, lightunit, commissioning device, router, border router, joiner router,joining device, end device, leader, access point, and/or other meshnetwork devices.

The device 2102 includes communication devices 2104 that enable wiredand/or wireless communication of device data 2106, such as data that iscommunicated between the devices in a mesh network, data that is beingreceived, data scheduled for broadcast, data packets of the data, datathat is synched between the devices, etc. The device data can includeany type of communication data, as well as audio, video, and/or imagedata that is generated by applications executing on the device. Thecommunication devices 2104 can also include transceivers for cellularphone communication and/or for network data communication.

The device 2102 also includes input/output (I/O) interfaces 2108, suchas data network interfaces that provide connection and/or communicationlinks between the device, data networks (e.g., a mesh network, externalnetwork, etc.), and other devices. The I/O interfaces can be used tocouple the device to any type of components, peripherals, and/oraccessory devices. The I/O interfaces also include data input ports viawhich any type of data, media content, and/or inputs can be received,such as user inputs to the device, as well as any type of communicationdata, as well as audio, video, and/or image data received from anycontent and/or data source.

The device 2102 includes a processing system 2110 that may beimplemented at least partially in hardware, such as with any type ofmicroprocessors, controllers, and the like that process executableinstructions. The processing system can include components of anintegrated circuit, programmable logic device, a logic device formedusing one or more semiconductors, and other implementations in siliconand/or hardware, such as a processor and memory system implemented as asystem-on-chip (SoC). Alternatively or in addition, the device can beimplemented with any one or combination of software, hardware, firmware,or fixed logic circuitry that may be implemented with processing andcontrol circuits. The device 2102 may further include any type of asystem bus or other data and command transfer system that couples thevarious components within the device. A system bus can include any oneor combination of different bus structures and architectures, as well ascontrol and data lines.

The device 2102 also includes computer-readable storage memory 2112,such as data storage devices that can be accessed by a computing device,and that provide persistent storage of data and executable instructions(e.g., software applications, modules, programs, functions, and thelike). The computer-readable storage memory described herein excludespropagating signals. Examples of computer-readable storage memoryinclude volatile memory and non-volatile memory, fixed and removablemedia devices, and any suitable memory device or electronic data storagethat maintains data for computing device access. The computer-readablestorage memory can include various implementations of random accessmemory (RAM), read-only memory (ROM), flash memory, and other types ofstorage memory in various memory device configurations.

The computer-readable storage memory 2112 provides storage of the devicedata 2106 and various device applications 2114, such as an operatingsystem that is maintained as a software application with thecomputer-readable storage memory and executed by the processing system2110. The device applications may also include a device manager, such asany form of a control application, software application, signalprocessing and control module, code that is native to a particulardevice, a hardware abstraction layer for a particular device, and so on.In this example, the device applications also include a commissioningapplication 2116 that implements embodiments of mesh networkcommissioning, such as when the example device 2102 is implemented asany of the mesh network devices described herein.

The device 2102 also includes an audio and/or video system 2118 thatgenerates audio data for an audio device 2120 and/or generates displaydata for a display device 2122. The audio device and/or the displaydevice include any devices that process, display, and/or otherwiserender audio, video, display, and/or image data, such as the imagecontent of a digital photo. In implementations, the audio device and/orthe display device are integrated components of the example device 2102.Alternatively, the audio device and/or the display device are external,peripheral components to the example device. In embodiments, at leastpart of the techniques described for mesh network commissioning may beimplemented in a distributed system, such as over a “cloud” 2124 in aplatform 2126. The cloud 2124 includes and/or is representative of theplatform 2126 for services 2128 and/or resources 2130.

The platform 2126 abstracts underlying functionality of hardware, suchas server devices (e.g., included in the services 2128) and/or softwareresources (e.g., included as the resources 2130), and connects theexample device 2102 with other devices, servers, etc. The resources 2130may also include applications and/or data that can be utilized whilecomputer processing is executed on servers that are remote from theexample device 2102. Additionally, the services 2128 and/or theresources 2130 may facilitate subscriber network services, such as overthe Internet, a cellular network, or Wi-Fi network. The platform 2126may also serve to abstract and scale resources to service a demand forthe resources 2130 that are implemented via the platform, such as in aninterconnected device embodiment with functionality distributedthroughout the system 2100. For example, the functionality may beimplemented in part at the example device 2102 as well as via theplatform 2126 that abstracts the functionality of the cloud 2124.

Although embodiments of mesh network commissioning have been describedin language specific to features and/or methods, the subject of theappended claims is not necessarily limited to the specific features ormethods described. Rather, the specific features and methods aredisclosed as example implementations of mesh network commissioning, andother equivalent features and methods are intended to be within thescope of the appended claims. Further, various different embodiments aredescribed and it is to be appreciated that each described embodiment canbe implemented independently or in connection with one or more otherdescribed embodiments.

A method of securely joining a joining device to a mesh networkcomprises receiving, at a joiner router, a message from the joiningdevice requesting to join the mesh network; forwarding the receivedmessage to a commissioning device of the mesh network; receiving, fromthe commissioning device, an authorization for the joining device tojoin the mesh network; and transmitting network information to thejoining device, the network information effective to enable the joiningdevice to join the mesh network.

Alternatively or in addition to the above described method, any one orcombination of: receiving a beacon request from the joining device, andtransmitting a beacon from the joiner router to the joining device, thebeacon providing an indication that the mesh network is available forjoining; said transmitting the beacon is effective to enable the joiningdevice to establish a local link between the joining device and thejoiner router; said receiving the message and said forwarding thereceived message is performed using Datagram Transport Layer Security(DTLS); said receiving the message and said forwarding the receivedmessage is performed using User Datagram Protocol (UDP); the messagereceived from the joining device comprises an encrypted deviceidentifier that is usable to authenticate the joining device, thejoining device is authenticated using Password Authenticated KeyExchange by Juggling (J-PAKE), and the authentication is effective toestablish a secure communication session between the commissioningdevice and the joining device; said forwarding the received message tothe commissioning device includes forwarding the received messagethrough one or more routers of the mesh network in a communication pathbetween the joiner router and the commissioning device; and one of theone or more routers is a border router that connects the mesh network toan external network, and wherein the commissioning device is attached tothe external network.

A mesh network device implemented as a joiner router, the mesh networkdevice comprises a mesh network interface configured for communicationin a mesh network; a memory and processor system to implement acommissioning application that is configured to: receive, via the meshnetwork interface, a message from a joining device requesting to jointhe mesh network; forward the received message to a commissioning deviceof the mesh network; receive, from the commissioning device, anauthorization for the joining device to join the mesh network; andinitiate network information being transmitted to the joining device,the network information effective to enable the joining device to jointhe mesh network.

Alternatively or in addition to the above described mesh network device,any one or combination of: the commissioning application is configuredto receive, via the mesh network interface, a beacon request from thejoining device, and initiate a beacon being transmitted from the joinerrouter to the joining device, the beacon providing an indication thatthe mesh network is available for joining; the beacon is effective toenable the joining device to establish a local link between the joiningdevice and the joiner router; the commissioning application isconfigured to receive the message and forward the received message usingDatagram Transport Layer Security (DTLS); the commissioning applicationis configured to receive the message and forward the received messageusing User Datagram Protocol (UDP); the message received from thejoining device comprises an encrypted device identifier that is usableto authenticate the joining device, the joining device is authenticatedusing Password Authenticated Key Exchange by Juggling (J-PAKE), and theauthentication is effective to establish a secure communication sessionbetween the commissioning device and the joining device; thecommissioning application is configured to forward the received messagethrough one or more routers of the mesh network in a communication pathbetween the joiner router and the commissioning device; and one of theone or more routers is a border router that connects the mesh network toan external network, and wherein the commissioning device is attached tothe external network.

A mesh network system comprises a joining device configured to requestjoining a mesh network, and a joiner router configured to: receive amessage from the joining device requesting to join the mesh network;forward the received message to a commissioning device of the meshnetwork; receive, from the commissioning device, an authorization forthe joining device to join the mesh network; and transmit networkinformation to the joining device, the network information effective toenable the joining device to join the mesh network.

Alternatively or in addition to the above described mesh network system,any one or combination of: the joiner router is configured to: receive abeacon request from the joining device, and transmit a beacon to thejoining device, the beacon providing an indication that the mesh networkis available for joining and the beacon effective to enable the joiningdevice to establish a local link between the joining device and thejoiner router; the message received from the joining device comprises anencrypted device identifier that is usable to authenticate the joiningdevice, the joining device is authenticated using Password AuthenticatedKey Exchange by Juggling (J-PAKE), and the authentication is effectiveto establish a secure communication session between the commissioningdevice and the joining device; and the joiner router is configured toforward the received message to the commissioning device through one ormore routers of the mesh network in a communication path between thejoiner router and the commissioning device, and wherein one of therouters is a border router that connects the mesh network to an externalnetwork.

A method of securely joining a joining device to a mesh networkcomprises receiving, at a joiner router, a DTLS-ClientHello message fromthe joining device requesting to join the mesh network; encapsulatingthe received DTLS-ClientHello message in a DTLS Relay ReceiveNotification message; transmitting the DTLS Relay Receive Notificationmessage to a commissioning device of the mesh network; receiving, fromthe commissioning device, a DTLS Relay Transmit Notification message;transmitting content of the DTLS Relay Transmit Notification message tothe joining device, the content effective to enable the joining deviceto join the mesh network; receiving, from the commissioning device, anindication that the joining device is to be entrusted to receive networkcredentials for the mesh network; receiving, from the commissioningdevice, a Key Encryption Key (KEK) that is shared between thecommissioning device and the joining device; and responsive to thereceiving the indication, transmitting the network credentials from thejoiner router to the joining device using the KEK to securecommunication of the network credentials.

Alternatively or in addition to the above described method, any one orcombination of: receiving a beacon request from the joining device, andtransmitting a beacon from the joiner router to the joining device; thebeacon comprises a network name, and steering data that indicates one ormore joining devices that are allowed to join the mesh network; saidreceiving the DTLS-ClientHello message from the joining device utilizingUser Datagram Protocol (UDP); the DTLS Relay Receive Notificationmessage comprises: an address of the joining device, an address of thejoiner router, and the received DTLS-ClientHello message; the DTLS RelayTransmit Notification message comprises: the address of the joiningdevice, the address of the joiner router, and a DTLS-HelloVerifymessage; transmitting the content of the DTLS Relay TransmitNotification message to the joining device is effective to establish asecure communication session between the commissioning device and thejoining device; the secure communication session is usable to performprovisioning of the joining device; and applying rate limiting totransmission of DTLS Relay Receive Notification messages transmitted tothe commissioning device from joining devices.

A mesh network device implemented as a joiner router, the mesh networkdevice comprises a mesh network interface configured for communicationin a mesh network; a memory and processor system to implement acommissioning application that is configured to: receive, via the meshnetwork interface, a DTLS-ClientHello message from a joining devicerequesting to join the mesh network; encapsulate the receivedDTLS-ClientHello message in a DTLS Relay Receive Notification message;initiate the DTLS Relay Receive Notification message being transmittedto a commissioning device of the mesh network; receive, from thecommissioning device, a DTLS Relay Transmit Notification message;initiate content of the DTLS Relay Transmit Notification message beingtransmitted to the joining device, the content effective to enable thejoining device to join the mesh network; receive, from the commissioningdevice, an indication that the joining device is to be entrusted toreceive network credentials for the mesh network; receive, from thecommissioning device, a Key Encryption Key (KEK) that is shared betweenthe commissioning device and the joining device; and responsive to theindication, initiate the network credentials being transmitted from thejoiner router to the joining device using the KEK to securecommunication of the network credentials.

Alternatively or in addition to the above described mesh network device,any one or combination of: receive, via the mesh network interface, abeacon request from the joining device, and initiate a beacon beingtransmitted from the joiner router to the joining device; thecommissioning application is configured to receive the DTLS-ClientHellomessage from the joining device utilizing User Datagram Protocol (UDP);the DTLS Relay Receive Notification message comprises: an address of thejoining device, an address of the joiner router, the receivedDTLS-ClientHello message, and wherein the DTLS Relay TransmitNotification message comprises: the address of the joining device, theaddress of the joiner router, and a DTLS-HelloVerify message; thecontent of the DTLS Relay Transmit Notification message transmitted tothe joining device is effective to establish a secure communicationsession between the commissioning device and the joining device; thesecure communication session is usable to perform provisioning of thejoining device.

A mesh network system comprises a joining device configured to requestjoining a mesh network, and a joiner router configured to: receive aDTLS-ClientHello message from the joining device requesting to join themesh network; encapsulate the received DTLS-ClientHello message in aDTLS Relay Receive Notification message; transmit the DTLS Relay ReceiveNotification message to a commissioning device of the mesh network;receive, from the commissioning device, a DTLS Relay TransmitNotification message; transmit content of the DTLS Relay TransmitNotification message to the joining device, the content effective toenable the joining device to join the mesh network; receive, from thecommissioning device, an indication that the joining device is to beentrusted to receive network credentials for the mesh network; receive,from the commissioning device, a Key Encryption Key (KEK) that is sharedbetween the commissioning device and the joining device; and responsiveto the indication, transmit the network credentials from the joinerrouter to the joining device using the KEK to secure communication ofthe network credentials.

Alternatively or in addition to the above described mesh network system,any one or combination of: receive a beacon request from the joiningdevice, and transmit a beacon from the joiner router to the joiningdevice; the beacon comprises a network name, and steering data thatindicates one or more joining devices that are allowed to join the meshnetwork; the joiner router is configured to receive the DTLS-ClientHellomessage from the joining device utilizing User Datagram Protocol (UDP);and the DTLS Relay Receive Notification message comprises: an address ofthe joining device, an address of the joiner router, the receivedDTLS-ClientHello message, and wherein the DTLS Relay TransmitNotification message comprises: the address of the joining device, theaddress of the joiner router, and a DTLS-HelloVerify message.

A method of authorizing a commissioning device to become a commissionerto commission one or more joining devices to join a mesh networkcomprises receiving, at a border router, a petition from thecommissioning device to become the commissioner for the mesh network;transmitting, to a leader device of the mesh network, the receivedpetition; receiving, from the leader device, a response to the petition,the response indicating acceptance or rejection of the petition; and inresponse to said receiving the response, transmitting to thecommissioning device an indication of the acceptance or the rejection ofthe petition.

Alternatively or in addition to the above described method, any one orcombination of: advertising, by the border router, availability of themesh network for commissioning devices, said receiving the petitionbeing in response to the commissioning device receiving saidadvertising; receiving, at the border router, a request from thecommissioning device to securely connect to the border router; thesecure connection is established using Datagram Transport Layer Security(DTLS); transmitting the indication of the acceptance of the petitionestablishes a secure commissioning session; registering an identity ofthe commissioning device with the border router to establish a securecommissioning communication session, said registering includingproviding an encrypted commissioning credential to the border router,wherein the encrypted commissioning credential was derived from acommissioning credential input to the commissioning device by a user;the border router includes a copy of the encrypted commissioningcredential usable to authenticate the commissioning device to the meshnetwork; and the copy of the encrypted commissioning credential waspreviously derived from the commissioning credential, the commissioningcredential was injected into the leader device of the mesh network thatderived the copy of the encrypted commissioning credential, and theleader device communicated the copy of the encrypted commissioningcredential securely to the border router.

A mesh network device implemented as a border router, the mesh networkdevice comprises a mesh network interface configured for communicationin a mesh network; a memory and processor system to implement acommissioning application that is configured to: receive, via the meshnetwork interface, a petition from a commissioning device to become acommissioner for the mesh network to commission one or more joiningdevices to join the mesh network; initiate the received petition beingtransmitted to a leader device of the mesh network; receive, from theleader device, a response to the petition, the response indicatingacceptance or rejection of the petition; and responsive to the receivedresponse to the petition, initiate an indication of the acceptance orthe rejection of the petition being transmitted to the commissioningdevice.

Alternatively or in addition to the above described mesh network device,any one or combination of: the commissioning application is configuredto advertise availability of the mesh network for commissioning devices,and receive the petition in response to the commissioning devicereceiving the advertised availability, and the advertised availabilityis performed using a service discovery protocol comprising MulticastDomain Name System (mDNS); the commissioning application is configuredto receive a request from the commissioning device to securely connectto the border router, and a secure connection is established usingDatagram Transport Layer Security (DTLS); the acceptance of the petitionby the leader device authorizes the commissioning device to be thecommissioner for the mesh network, the acceptance of the petitionenabling the leader device to update an internal state that tracks anactive commissioner for the mesh network, set a permit-join flag for themesh network to true, and propagate a commissioning dataset within themesh network, and the transmitted indication of the acceptance of thepetition establishes a secure commissioning session; the commissioningapplication is configured to register an identity of the commissioningdevice with the border router to establish a secure commissioningcommunication session, including an encrypted commissioning credentialprovided to the border router, the encrypted commissioning credentialwas derived from a commissioning credential input to the commissioningdevice by a user, and the border router includes a copy of the encryptedcommissioning credential usable to authenticate the commissioning deviceto the mesh network; the commissioning device and the border routercommunicate over a network other than the mesh network; and the othernetwork is one of a Wi-Fi network or an Ethernet network.

A mesh network system, comprises a commissioning device configured topetition to become a commissioner to commission one or more joiningdevices to join a mesh network, and a border router configured to:receive a petition from the commissioning device to become thecommissioner for the mesh network; transmit the received petition to aleader device of the mesh network; receive a response to the petitionfrom the leader device, the response indicating acceptance or rejectionof the petition; and transmit an indication of the acceptance or therejection of the petition to the commissioning device.

Alternatively or in addition to the above described mesh network system,any one or combination of: the border router is configured to advertiseavailability of the mesh network for commissioning devices, and receivedthe petition in response to the commissioning device receiving theadvertising; the commissioning device and the border router communicateover a network other than the mesh network; the other network is one ofa Wi-Fi network or an Ethernet network; and the border router isconfigured to transmit the indication of the acceptance of the petitionto establish a secure commissioning session.

A method implemented by a leader device of a mesh network comprisesreceiving, by a leader device, a petition to accept a commissioningdevice as a commissioner to commission joining devices to join the meshnetwork; determining whether to accept or reject the received petition;transmitting a response including an indication of said determination;and in response to said determination being an acceptance, updating aninternal state that tracks an active commissioner for the mesh network.

Alternatively or in addition to the above described method, any one orcombination of: receiving, from the commissioning device, a command toinitiate a joining mode for the mesh network; propagating acommissioning dataset within the mesh network; the commissioning datasetcomprises: a commissioner session identifier, a commissioner timestamp,an encrypted commissioner credential, and a security policy thatindicates which security-related operations are allowed in the meshnetwork; deriving the encrypted commissioning credential from acommissioning credential that was injected into the leader device duringcommissioning of the leader device; the derivation of the encryptedcommissioning credential is performed by applying a key derivationfunction, the key derivation function performing a hashing multipletimes using a Cipher-based Message Authentication Code (CMAC); sending acopy of the encrypted commissioning credential to the border router,effective to enable the border router to authenticate the commissioningdevice to the mesh network; and when the commissioner is active on themesh network, the commissioning dataset further comprises a location ofthe border router.

A mesh network device implemented as a leader device of a mesh network,the mesh network device comprises a mesh network interface configuredfor communication in the mesh network; a memory and processor system toimplement a commissioning application that is configured to: receive,via the mesh network interface, a petition to accept a commissioningdevice as a commissioner to commission joining devices to join the meshnetwork; determine whether to accept or reject the received petition;initiate a response being transmitted, including an indication of thedetermination of whether to accept or reject the received petition; andresponsive to the determination being an acceptance of the receivedpetition, update an internal state that tracks an active commissionerfor the mesh network.

Alternatively or in addition to the above described mesh network device,any one or combination of: the commissioning application is configuredto receive, from the commissioning device, a command to initiate ajoining mode for the mesh network; the commissioning application isconfigured to propagate a commissioning dataset within the mesh network;the commissioning dataset comprises: a commissioner session identifier,a commissioner timestamp, an encrypted commissioner credential, and asecurity policy that indicates which security-related operations areallowed in the mesh network, the commissioning application furtherconfigured to derive the encrypted commissioning credential from acommissioning credential that was injected into the leader device duringcommissioning of the leader device, wherein the derivation of theencrypted commissioning credential is performed by applying a keyderivation function, the key derivation function performing a hashingmultiple times using a Cipher-based Message Authentication Code (CMAC);the commissioning application is configured to send a copy of theencrypted commissioning credential to the border router, effective toenable the border router to authenticate the commissioning device to themesh network; and when the commissioner is active on the mesh network,the commissioning dataset further comprises a location of the borderrouter.

A mesh network system comprises a commissioning device configured topetition to become a commissioner to commission one or more joiningdevices to join a mesh network, and a leader device of the mesh network,the leader device configured to: receive a petition to accept thecommissioning device as the commissioner to commission the joiningdevices to join the mesh network; determine whether to accept or rejectthe received petition; transmit a response including an indication ofthe determination as to whether to accept or reject the receivedpetition; and in response to the determination being an acceptance,update an internal state that tracks an active commissioner for the meshnetwork.

Alternatively or in addition to the above described mesh network system,any one or combination of: the leader device is configured to receive,from the commissioning device, a command to initiate a joining mode forthe mesh network; the leader device is configured to propagate acommissioning dataset within the mesh network; the commissioning datasetcomprises: a commissioner session identifier, a commissioner timestamp,an encrypted commissioner credential, and a security policy thatindicates which security-related operations are allowed in the meshnetwork, the leader device further configured to derive the encryptedcommissioning credential from a commissioning credential that wasinjected into the leader device during commissioning of the leaderdevice, wherein the derivation of the encrypted commissioning credentialis performed by applying a key derivation function, the key derivationfunction performing a hashing multiple times using a Cipher-basedMessage Authentication Code (CMAC); the leader device is configured tosend a copy of the encrypted commissioning credential to the borderrouter, effective to enable the border router to authenticate thecommissioning device to the mesh network; and when the commissioner isactive on the mesh network, the commissioning dataset further comprisesa location of the border router.

A method of securely establishing network communication sessions forjoining one or more joining devices to a mesh network comprisesestablishing a secure commissioning communication session between acommissioning device and a border router of the mesh network; activatingjoining for the mesh network; receiving, by the commissioning device, arequest from one of the joining devices to join the mesh network;establishing a secure joiner communication session between thecommissioning device and the joining device; and joining the joiningdevice to the mesh network.

Alternatively or in addition to the above described method, any one orcombination of: establishing the secure commissioning communicationsession comprises: sending a petition from the commissioning device to aleader device of the mesh network to request acceptance of thecommissioning device as an active commissioner for the mesh network, andreceiving an indication of an acceptance of the petition from the leaderdevice; activating joining for the mesh network comprises thecommissioning device initiating a joining mode that causes one or morerouters in the mesh network to advertise that the mesh network isaccepting joining requests; activating joining for the mesh networkcomprises sending a management message to a leader device to make themesh network joinable, the management message effective to enable theleader device to update network data for the mesh network, and propagatethe network data to one or more router devices in the mesh network, thenetwork data comprising an indication that the mesh network is availablefor joining; authenticating the joining device, using an encrypteddevice identifier; receiving the request from one of the joining devicesto join the mesh network is received via a joiner router, the methodfurther comprising: transmitting, to the joiner router, an indicationthat the joining device is to be entrusted to receive networkcredentials for the mesh network and a Key Encryption Key (KEK), whichis shared between the commissioning device and the joining device, saidtransmitting being effective to enable the joiner router to use thereceived KEK to securely transmit the network credentials to the joiningdevice to commission the joining device to the mesh network; receivingthe request from the joining device comprises receiving an encrypteddevice identifier of the joining device, and wherein the encrypteddevice identifier is derived from a device identifier of the joiningdevice using Password Authentication Key Exchange by Juggling (J-PAKE);establishing the secure joiner communication session comprises:determining, by the commissioning device, that the encrypted deviceidentifier received from the joining device matches an encrypted deviceidentifier derived by the commissioning device from a copy of the deviceidentifier that is received as an input to the commissioning device froma user, and using the encrypted device identifier as a shared secret tosecure the joiner communication session.

A mesh network device implemented as a commissioning device for joiningone or more joining devices to a mesh network, the mesh network devicecomprises a mesh network interface configured for communication in themesh network; a memory and processor system to implement a commissioningapplication that is configured to: establish a secure commissioningcommunication session between the commissioning device and a borderrouter of the mesh network; activate joining for the mesh network;receive, via the mesh network interface, a request from one of thejoining devices to join the mesh network; establish a secure joinercommunication session between the commissioning device and the joiningdevice; and join the joining device to the mesh network.

Alternatively or in addition to the above described mesh network device,any one or combination of: the commissioning application is configuredto: send a petition from the commissioning device to a leader device ofthe mesh network to request acceptance of the commissioning device as anactive commissioner for the mesh network, and receive an indication ofan acceptance of the petition from the leader device; the commissioningapplication is configured to said activate joining for the mesh networkby initiating a joining mode that causes one or more routers in the meshnetwork to advertise that the mesh network is accepting joiningrequests; the commissioning application is configured to said activatejoining for the mesh network by sending a management message to a leaderdevice to make the mesh network joinable, the management messageenabling the leader device to update network data for the mesh network,and propagate the network data to one or more router devices in the meshnetwork, the network data comprising an indication that the mesh networkis available for joining; the request received from the joining devicecomprises an encrypted device identifier of the joining device, andwherein the encrypted device identifier is derived from a deviceidentifier of the joining device using Password Authentication KeyExchange by Juggling (J-PAKE); the commissioning application isconfigured to establish the secure joiner communication session furtherconfigured to: determine that the encrypted device identifier receivedfrom the joining device matches an encrypted device identifier derivedby the commissioning device from a copy of the device identifier that isreceived as an input to the commissioning device from a user, and usethe encrypted device identifier as a shared secret to secure the joinercommunication session; the commissioning application is configured toforward the request from the joining device to join the mesh network,the request forwarded to the commissioning device by one or more routerdevices in the mesh network.

A mesh network system comprises one or more joining devices configuredto request joining a mesh network, and a commissioning device of themesh network, the commissioning device configured to: establish a securecommissioning communication session between the commissioning device anda border router of the mesh network; activate joining for the meshnetwork; receive a request from one of the joining devices to join themesh network; establish a secure joiner communication session betweenthe commissioning device and the joining device; and join the joiningdevice to the mesh network.

Alternatively or in addition to the above described mesh network system,any one or combination of: the commissioning device, to establish thesecure commissioning communication session, is configured to: send apetition from the commissioning device to a leader device of the meshnetwork to request acceptance of the commissioning device as an activecommissioner for the mesh network, and receive an indication of anacceptance of the petition from the leader device; the commissioningdevice is configured to said activate joining for the mesh network byinitiating a joining mode that causes one or more routers in the meshnetwork to advertise that the mesh network is accepting joiningrequests; the commissioning device is configured to said activatejoining for the mesh network by sending a management message to a leaderdevice to make the mesh network joinable, the management messageenabling the leader device to update network data for the mesh network,and propagate the network data to one or more router devices in the meshnetwork, the network data comprising an indication that the mesh networkis available for joining; the commissioning device is configured to:said receive the request from one of the joining devices to join themesh network via a joiner router, and transmit, to the joiner router, anindication that the joining device is to be entrusted to receive networkcredentials for the mesh network and a Key Encryption Key (KEK), whichis shared between the commissioning device and the joining device, thetransmitted indication enabling the joiner router to use the receivedKEK to securely transmit the network credentials to the joining deviceto commission the joining device to the mesh network.

A method of provisioning a joining device in a mesh network comprisesestablishing a commissioning communication session between acommissioning device and a border router of the mesh network;establishing a joiner communication session between the joining deviceand the commissioning device; sending commissioning information to thejoining device, the commissioning information being usable by thejoining device to join the mesh network; receiving an indication of alocation of a commissioner application from the joining device; andexecuting the commissioner application to provision the joining device.

Alternatively or in addition to the above described method, any one orcombination of: retrieving the commissioner application utilizing thereceived indication; the received indication of the location of thecommissioner application is a Uniform Resource Locator (URL); thecommissioner application is retrieved over the Internet from a cloudservice; the commissioning device uses the received URL to determine ifthe commissioner application is stored in a memory of the commissioningdevice; responsive to completing the provisioning of the joining device,finalizing commissioning of the joining device, the finalizing beingeffective to enable the joining device to join the mesh network; theprovisioning of the joining device comprises updating software on thejoining device; the provisioning of the joining device comprises linkingthe joining device to a user account on a cloud service; theprovisioning of the joining device comprises configuring the joiningdevice; and the configuration is a local configuration related to otherdevices in the mesh network.

A mesh network device implemented as a commissioning device, the meshnetwork device comprises a mesh network interface configured forcommunication in a mesh network; a memory and processor system toimplement a commissioning application that is configured to: establish acommissioning communication session between the commissioning device anda border router of the mesh network; establish a joiner communicationsession between the joining device and the commissioning device; sendcommissioning information to the joining device, the commissioninginformation being usable by the joining device to join the mesh network;receive an indication of a location of a commissioner application fromthe joining device; and execute the commissioner application toprovision the joining device.

Alternatively or in addition to the above described mesh network device,any one or combination of: the commissioning application is configuredto retrieve the commissioner application utilizing the receivedindication; the received indication of the location of the commissionerapplication is a Uniform Resource Locator (URL); the commissionerapplication is retrieved over the Internet from a cloud service; thecommissioning device uses the received URL to determine if thecommissioner application is stored in a memory of the commissioningdevice.

A mesh network system comprises a joining device configured to requestjoining a mesh network, and a commissioning device of the mesh network,the commissioning device configured to: establish a commissioningcommunication session between the commissioning device and a borderrouter of the mesh network; establish a joiner communication sessionbetween the joining device and the commissioning device; sendcommissioning information to the joining device, the commissioninginformation being usable by the joining device to join the mesh network;receive an indication of a location of a commissioner application fromthe joining device; and execute the commissioner application toprovision the joining device.

Alternatively or in addition to the above described mesh network system,any one or combination of: the commissioning application is configuredto retrieve the commissioner application utilizing the receivedindication; the received indication of the location of the commissionerapplication is a Uniform Resource Locator (URL); the commissionerapplication is retrieved over the Internet from a cloud service; and thecommissioning device uses the received URL to determine if thecommissioner application is stored in a memory of the commissioningdevice.

A method of identifying devices that are allowed to join a mesh networkcomprises determining steering data for the mesh network, the steeringdata comprising an indication of a device identifier associated with adevice that is allowed to join the mesh network, and propagating thesteering data from a commissioning device for the mesh network to one ormore routers in the mesh network, said propagating enabling the one ormore routers to transmit the steering data in a beacon message, thesteering data effective to enable the device associated with the deviceidentifier to identify that the device is allowed to join the meshnetwork.

Alternatively or in addition to the above described method, any one orcombination of: the steering data comprises a 16 bit Cyclic RedundancyCheck (CRC16) of the device identifier; the device identifier is an IEEE64-bit Extended Unique Identifier (EUI-64); said determining thesteering data for the mesh network further comprises determining thesteering data for additional device identifiers associated withadditional devices that are allowed to join the mesh network; saidpropagating the steering data is effective to enable the device todistinguish the mesh network from other networks; the other networks areIEEE 802.15.4 networks; and the steering data indicates that acommissioner is active on the mesh network.

A mesh network device implemented as a commissioning device, the meshnetwork device comprises a mesh network interface configured forcommunication in a mesh network; a memory and processor system toimplement a commissioning application that is configured to: determinesteering data for the mesh network, the steering data comprising anindication of a device identifier associated with a device that isallowed to join the mesh network; and propagate the steering data from acommissioning device for the mesh network to one or more routers in themesh network, the propagation being enabling the one or more routers totransmit the steering data in a beacon message, the steering data beingeffective to enable the device associated with the device identifier toidentify that the device is allowed to join the mesh network.

Alternatively or in addition to the above described mesh network device,any one or combination of: the steering data comprises a 16 bit CyclicRedundancy Check (CRC16) of the device identifier; the device identifieris an IEEE 64-bit Extended Unique Identifier (EUI-64); the commissioningapplication, to determine the steering data for the mesh network, isconfigured to determine the steering data for additional deviceidentifiers associated with additional devices that are allowed to jointhe mesh network; the steering data is usable by the device todistinguish the mesh network from other networks; the other networks areIEEE 802.15.4 networks; and the steering data indicates that acommissioner is active on the mesh network.

A mesh network system comprises a joining device configured to requestjoining a mesh network, and a commissioning device of the mesh network,the commissioning device configured to: determine steering data for themesh network, the steering data comprising an indication of a deviceidentifier associated with a device that is allowed to join the meshnetwork; and propagate the steering data from a commissioning device forthe mesh network to one or more routers in the mesh network, thepropagation being enabling the one or more routers to transmit thesteering data in a beacon message, the steering data being effective toenable the device associated with the device identifier to identify thatthe device is allowed to join the mesh network.

Alternatively or in addition to the above described mesh network system,any one or combination of: the steering data comprises a 16 bit CyclicRedundancy Check (CRC16) of the device identifier; the device identifieris an IEEE 64-bit Extended Unique Identifier (EUI-64); the commissioningdevice, to determine the steering data for the mesh network, isconfigured to determine the steering data for additional deviceidentifiers associated with additional devices that are allowed to jointhe mesh network; the steering data enables the device to distinguishthe mesh network from other networks; the steering data indicates that acommissioner is active on the mesh network.

A method of identifying devices that are allowed to join a mesh networkcomprises determining steering data for the mesh network, the steeringdata comprising an indication of a device identifier associated with adevice that is allowed to join the mesh network, and the indicationbeing represented as a set of values in a Bloom filter that representthe device identifier; and propagating the steering data from acommissioning device for the mesh network to one or more routers in themesh network, said propagating enabling the one or more routers totransmit the steering data in a beacon message, the steering dataenabling the device associated with the device identifier to compare theset of values in the Bloom filter to a second set of values determinedat the device to identify that the device is allowed to join the meshnetwork.

Alternatively or in addition to the above described method, any one orcombination of: determining the steering data comprises: applying afirst hash function to the device identifier to produce a first hashvalue, applying a second hash function to the device identifier toproduce a second hash value, performing a modulo operation on the firsthash value to determine a first bit field location in the Bloom filter,performing the modulo operation on the second hash value to determine asecond bit field location in the Bloom filter, setting a value in thefirst bit field location of the Bloom filter to one, and setting thevalue in the second bit field location of the Bloom filter to one; thefirst and second hash functions are Cyclic Redundancy Checks (CRC), thefirst hash function being a CRC16-CCITT, and the second hash functionbeing a CRC16-ANSI; a divisor for the modulo operation is the length ofa bit array of the Bloom filter; the device identifier is an IEEE 64-bitExtended Unique Identifier (EUI-64); the device identifier is the leastsignificant twenty-four bits of the EUI-64; determining the steeringdata for the mesh network further comprises determining the steeringdata for additional device identifiers associated with additionaldevices that are allowed to join the mesh network; setting the value ofthe steering data to a value of zero, which disables joining for themesh network; and setting all bit field values in the steering data to avalue of one to indicate that the mesh network is joinable for anydevice.

A mesh network device implemented as a commissioning device, the meshnetwork device comprises a mesh network interface configured forcommunication in a mesh network; a memory and processor system toimplement a commissioning application that is configured to: determinesteering data for the mesh network, the steering data comprising anindication of a device identifier associated with a device that isallowed to join the mesh network, and the indication being representedas a set of values in a Bloom filter that represent the deviceidentifier; and propagate the steering data to one or more routers inthe mesh network, the propagation effective to enable the one or morerouters to transmit the steering data in a beacon message, the steeringdata enabling the device associated with the device identifier tocompare the set of values in the Bloom filter to a second set of valuesdetermined at the device to identify that the device is allowed to jointhe mesh network.

Alternatively or in addition to the above described mesh network device,any one or combination of: the commissioning application is configuredto: apply a first hash function to the device identifier to produce afirst hash value, apply a second hash function to the device identifierto produce a second hash value, perform a modulo operation on the firsthash value to determine a first bit field location in the Bloom filter,perform the modulo operation on the second hash value to determine asecond bit field location in the Bloom filter, set a value in the firstbit field location of the Bloom filter to one, and set the value in thesecond bit field location of the Bloom filter to one; the first andsecond hash functions are Cyclic Redundancy Checks (CRC), the first hashfunction being a CRC16-CCITT, and the second hash function being aCRC16-ANSI; and a divisor for the modulo operation is the length of abit array of the Bloom filter; the device identifier is an IEEE 64-bitExtended Unique Identifier (EUI-64).

A mesh network system comprises a joining device configured to requestjoining a mesh network, and a commissioning device configured to:determine steering data for the mesh network, the steering datacomprising an indication of a device identifier associated with a devicethat is allowed to join the mesh network, and the indication beingrepresented as a set of values in a Bloom filter that represent thedevice identifier; and propagate the steering data to one or morerouters in the mesh network, the propagation effective to enable the oneor more routers to transmit the steering data in a beacon message, thesteering data enabling the device associated with the device identifierto compare the set of values in the Bloom filter to a second set ofvalues determined at the device to identify that the device is allowedto join the mesh network.

Alternatively or in addition to the above described mesh network system,any one or combination of: the commissioning device is configured to:apply a first hash function to the device identifier to produce a firsthash value, apply a second hash function to the device identifier toproduce a second hash value, perform a modulo operation on the firsthash value to determine a first bit field location in the Bloom filter,perform the modulo operation on the second hash value to determine asecond bit field location in the Bloom filter, set a value in the firstbit field location of the Bloom filter to one, and set the value in thesecond bit field location of the Bloom filter to one; the first andsecond hash functions are Cyclic Redundancy Checks (CRC), the first hashfunction being a CRC16-CCITT, and the second hash function being aCRC16-ANSI; a divisor for the modulo operation is the length of a bitarray of the Bloom filter; the device identifier is an IEEE 64-bitExtended Unique Identifier (EUI-64); the computing device, to determinethe steering data for the mesh network, is configured to determine thesteering data for additional device identifiers associated withadditional joiner devices that are allowed to join the mesh network.

A method of updating commissioning data in nodes of a mesh networkcomprises receiving a commissioning dataset at a node device in the meshnetwork; comparing a timestamp included in the received commissioningdataset with a stored timestamp included in a commissioning dataset thatis stored in the node device; determining, from said comparing, that thestored timestamp is more recent than the received timestamp; and inresponse to said determining, transmitting a message to a leader deviceof the mesh network, the message comprising the stored commissioningdataset and being effective to enable the leader device to accept thestored commissioning dataset as the most recent commissioning datasetfor the mesh network, and propagate the stored commissioning dataset tothe mesh network.

Alternatively or in addition to the above described method, any one orcombination of: determining, from said comparing, that the receivedtimestamp is more recent than the stored timestamp, and in response tosaid determining that the received timestamp is more recent than thestored timestamp, updating the stored commissioning dataset to match thereceived commissioning dataset; the received commissioning datasetcomprises: the received timestamp, a commissioning credential, a networkname of the mesh network, and a security policy that indicates whichsecurity-related operations are allowed in the mesh network; thereceived timestamp comprises a time value, and an indication that thetime value is traceable to Coordinated Universal Time (UTC); the nodedevice and the leader device were previously commissioned to the meshnetwork, and wherein the previous commissioning stored identicalcommissioning datasets in the node device and the leader device; thestored commissioning dataset in the node device is updated after a splitof the mesh network, the split separating the mesh network into aplurality of partitions, wherein a first partition of the mesh networkincludes the leader device, and wherein a second partition of the meshnetwork includes the node device; the split stops communication betweenthe node device and the leader device over the mesh network; receivingthe commissioning dataset at the node device occurs after a merge of thefirst partition and the second partition of the mesh network, the mergere-establishing a communication path between the node device and theleader device over the mesh network; and the node device is a routerdevice or a router-eligible device.

A mesh network device implemented as a router, the mesh network devicecomprises: a mesh network interface configured for communication in amesh network; a memory and processor system to implement a commissioningapplication that is configured to: receive a commissioning dataset;compare a timestamp included in the received commissioning dataset witha stored timestamp included in a commissioning dataset that is stored inthe router; determine from the comparison that the stored timestamp ismore recent than the received timestamp; and in response to thedetermination, transmit a message to a leader device of the meshnetwork, the message comprising the stored commissioning dataset andbeing effective to enable the leader device to accept the storedcommissioning dataset as the most recent commissioning dataset for themesh network, and propagate the stored commissioning dataset to the meshnetwork.

Alternatively or in addition to the above described mesh network device,any one or combination of: the commissioning application is configuredto: determine from the comparison that the received timestamp is morerecent than the stored timestamp, and in response to the determinationthat the received timestamp is more recent than the stored timestamp,update the stored commissioning dataset to match the receivedcommissioning dataset; the received commissioning dataset comprises: thereceived timestamp, a commissioning credential, a network name of themesh network, and a security policy that indicates whichsecurity-related operations are allowed in the mesh network; thereceived timestamp comprises a time value, and an indication that thetime value is traceable to Coordinated Universal Time (UTC); the routerand the leader device were previously commissioned to the mesh network,and wherein the previous commissioning stored identical commissioningdatasets in the router and the leader device; and the storedcommissioning dataset in the router is updated after a split of the meshnetwork, the split separating the mesh network into a plurality ofpartitions, wherein a first partition of the mesh network includes theleader device, and wherein a second partition of the mesh networkincludes the router.

A mesh network system comprises a leader device configured to maintaincommissioning data for the mesh network, and a router device configuredto: receive a commissioning dataset; compare a timestamp included in thereceived commissioning dataset with a stored timestamp included in acommissioning dataset that is stored in the router; determine from thecomparison that the stored timestamp is more recent than the receivedtimestamp; and in response to the determination, transmit a message to aleader device of the mesh network, the message comprising the storedcommissioning dataset and being effective to enable the leader device toaccept the stored commissioning dataset as the most recent commissioningdataset for the mesh network, and propagate the stored commissioningdataset to the mesh network.

Alternatively or in addition to the above described mesh network system,any one or combination of: the router device is configured to: determinefrom the comparison that the received timestamp is more recent than thestored timestamp, and in response to the determination that the receivedtimestamp is more recent than the stored timestamp, update the storedcommissioning dataset to match the received commissioning dataset; thereceived commissioning dataset comprises: the received timestamp, acommissioning credential, a network name of the mesh network, and asecurity policy that indicates which security-related operations areallowed in the mesh network; the received timestamp comprises a timevalue, and an indication that the time value is traceable to CoordinatedUniversal Time (UTC); and the router and the leader device werepreviously commissioned to the mesh network, and wherein the previouscommissioning stored identical commissioning datasets in the router andthe leader device.

The invention claimed is:
 1. A method of securely establishing networkcommunication sessions for joining one or more joining devices to a meshnetwork, the method comprising: establishing a secure commissioningcommunication session between a commissioning device and a border routerof the mesh network, said establishing the secure commissioningcommunication session comprising: sending a petition from thecommissioning device to a leader device of the mesh network to requestacceptance of the commissioning device as an active commissioner for themesh network; and receiving an indication of an acceptance of thepetition from the leader device; activating joining for the meshnetwork, said activating comprising sending a management message to theleader device to make the mesh network joinable, the management messageeffective to enable the leader device to update network data for themesh network and propagate the network data to one or more routerdevices in the mesh network; receiving, by the commissioning device, arequest from one of the joining devices to join the mesh network;establishing a secure joiner communication session between thecommissioning device and the joining device; and joining the joiningdevice to the mesh network.
 2. The method as recited in claim 1, whereinsaid activating joining for the mesh network comprises the commissioningdevice initiating a joining mode that causes the one or more routerdevices in the mesh network to advertise that the mesh network isaccepting joining requests.
 3. The method as recited in claim 1, whereinthe network data comprises an indication that the mesh network isavailable for joining.
 4. The method as recited in claim 1, furthercomprising: authenticating the joining device, using an encrypted deviceidentifier.
 5. The method as recited in claim 4, wherein said receivingthe request from one of the joining devices to join the mesh network isreceived via a joiner router, the method further comprising:transmitting, to the joiner router, an indication that the joiningdevice is to be entrusted to receive network credentials for the meshnetwork and a Key Encryption Key (KEK), which is shared between thecommissioning device and the joining device, said transmitting beingeffective to enable the joiner router to use the received KEK tosecurely transmit the network credentials to the joining device tocommission the joining device to the mesh network.
 6. The method asrecited in claim 1, wherein said receiving the request from the joiningdevice comprises receiving an encrypted device identifier of the joiningdevice, and wherein the encrypted device identifier is derived from adevice identifier of the joining device using Password AuthenticationKey Exchange by Juggling (J-PAKE).
 7. The method as recited in claim 6,wherein said establishing the secure joiner communication sessioncomprises: determining, by the commissioning device, that the encrypteddevice identifier received from the joining device matches an encrypteddevice identifier derived by the commissioning device from a copy of thedevice identifier that is received as an input to the commissioningdevice from a user; and using the encrypted device identifier as ashared secret to secure the joiner communication session.
 8. A meshnetwork device implemented as a commissioning device for joining one ormore joining devices to a mesh network, the mesh network devicecomprising: a mesh network interface configured for communication in themesh network; a memory and processor system to implement a commissioningapplication that is configured to: establish a secure commissioningcommunication session between the commissioning device and a borderrouter of the mesh network, the establishment of the securecommissioning communication session configures the commissioningapplication to: send a petition from the commissioning device to aleader device of the mesh network to request acceptance of thecommissioning device as an active commissioner for the mesh network; andreceive an indication of an acceptance of the petition from the leaderdevice; activate joining for the mesh network, the activationconfiguring the commissioning application to send a management messageto the leader device of the mesh network to make the mesh networkjoinable, the management message effective to enable the leader deviceto update network data for the mesh network and propagate the networkdata to one or more router devices in the mesh network; receive, via themesh network interface, a request from one of the joining devices tojoin the mesh network; establish a secure joiner communication sessionbetween the commissioning device and the joining device; and join thejoining device to the mesh network.
 9. The mesh network device asrecited in claim 8, wherein the commissioning application is configuredto said activate joining for the mesh network by initiating a joiningmode that causes the one or more router devices in the mesh network toadvertise that the mesh network is accepting joining requests.
 10. Themesh network device as recited in claim 8, wherein the network datacomprises an indication that the mesh network is available for joining.11. The mesh network device as recited in claim 8, wherein the requestreceived from the joining device comprises an encrypted deviceidentifier of the joining device, and wherein the encrypted deviceidentifier is derived from a device identifier of the joining deviceusing Password Authentication Key Exchange by Juggling (J-PAKE).
 12. Themesh network device as recited in claim 11, wherein the commissioningapplication is configured to establish the secure joiner communicationsession further configured to: determine that the encrypted deviceidentifier received from the joining device matches an encrypted deviceidentifier derived by the commissioning device from a copy of the deviceidentifier that is received as an input to the commissioning device froma user; and use the encrypted device identifier as a shared secret tosecure the joiner communication session.
 13. The mesh network device asrecited in claim 8, wherein the commissioning application is configuredto forward the request from the joining device to join the mesh network,the request forwarded to the commissioning device by the one or morerouter devices in the mesh network.
 14. A mesh network system,comprising: one or more joining devices configured to request joining amesh network; and a commissioning device of the mesh network, thecommissioning device configured to: establish a secure commissioningcommunication session between the commissioning device and a borderrouter of the mesh network, the establishment of the securecommissioning communication session configures the commissioning deviceto: send a petition from the commissioning device to a leader device ofthe mesh network to request acceptance of the commissioning device as anactive commissioner for the mesh network; and receive an indication ofan acceptance of the petition from the leader device; activate joiningfor the mesh network, the activation configuring the commissioningdevice to send a management message to the leader device of the meshnetwork to make the mesh network joinable, the management messageeffective to enable the leader device to update network data for themesh network and propagate the network data to one or more routerdevices in the mesh network; receive a request from one of the joiningdevices to join the mesh network; establish a secure joinercommunication session between the commissioning device and the joiningdevice; and join the joining device to the mesh network.
 15. A meshnetwork system as recited in claim 14, wherein the commissioning deviceis configured to said activate joining for the mesh network byinitiating a joining mode that causes the one or more router devices inthe mesh network to advertise that the mesh network is accepting joiningrequests.
 16. A mesh network system as recited in claim 14, wherein thenetwork data comprises an indication that the mesh network is availablefor joining.
 17. A mesh network system as recited in claim 14, whereinthe commissioning device is configured to: authenticate the joiningdevice, using an encrypted device identifier.
 18. A mesh network systemas recited in claim 17, wherein the commissioning device is configuredto: said receive the request from one of the joining devices to join themesh network via a joiner router; and transmit, to the joiner router, anindication that the joining device is to be entrusted to receive networkcredentials for the mesh network and a Key Encryption Key (KEK), whichis shared between the commissioning device and the joining device, thetransmitted indication enabling the joiner router to use the receivedKEK to securely transmit the network credentials to the joining deviceto commission the joining device to the mesh network.
 19. A mesh networksystem as recited in claim 14, wherein the request received from thejoining device comprises an encrypted device identifier of the joiningdevice, and wherein the encrypted device identifier is derived from adevice identifier of the joining device using Password AuthenticationKey Exchange by Juggling (J-PAKE).
 20. A mesh network system as recitedin claim 19, wherein the commissioning device is configured to establishthe secure joiner communication session further configured to: determinethat the encrypted device identifier received from the joining devicematches an encrypted device identifier derived by the commissioningdevice from a copy of the device identifier that is received as an inputto the commissioning device from a user; and use the encrypted deviceidentifier as a shared secret to secure the joiner communicationsession.